Kiwibank’s Privacy breach impacted 4200 of their clients, what are the learnings for other financial sectors?

Last week Kiwibank had a privacy breach that affected 4200 of their customer base. In this breach the customers were provided with another person’s transaction history on an email or online bank statement. Kiwibank are currently investigating to see how this has happened. The impact of this is huge with the new Privacy Act coming end of this year.

The challenge around this is the information that has been sent through has the possibility of others been able to identify another person’s details. An email released by Kiwibank stated, ““Kiwibank takes its obligations to maintain customer privacy and confidentiality very seriously. We have notified the Privacy Commission and want to reassure you that we are working to ensure this doesn't happen again.” It was good to see that the breach was notified immediately to the Privacy Commissioners Office, once the breach had been identified. Currently the Privacy Act does not require this as a mandatory option. However, what is the Bank doing to ensure that this will not happen again? Who is liable? And will the new Privacy Act be enough to ensure this does not happen within these organisations? The new Privacy Act is coming in place in New Zealand on 1 December 2020. This includes a Name and Shame Registry and a maximum of $10,000 fine for any penalty breach.

Kiwibank stated that they consider the risk is low but there may be potential repercussions for people whose information is in the bank statement is visible. If I were a customer at Kiwibank I would not have been so happy. And if the bank that I was with had a breach like this I would be choosing to find a different bank to move to after 13 years. The fact that they had a software issue that caused people to receive another person’s bank account number is a very scary thought. What does a cost of a breach like this mean to Kiwibank?

Kiwibank as a trusted government-based organisation is supposed to be keeping this type of data safe. Is this the new normal? Over the last couple of years more and more New Zealand based organisations have had breaches then in the past. Fisher and Paykel, Lion Breweries, Toll, Honda, University of Auckland, Generator Kiwisaver, Asics to name a few. This means that with these breaches becoming resilient is more crucial then ever.

This year has been a difficult one for New Zealand businesses. Becoming resilient and adverse is far more important then before. If we work together on changing practices and understanding what the best practice would be will be an important starting point. The biggest question here is: how is Kiwibank going to answer to their customers? And what will they do to avoid this from happening again?