Source: Privacy Commissioner
What happened
A finance business received a phone call from a person claiming to be an existing customer. They knew the name, date of birth and address of the customer and were able to mislead customer centre staff at the finance business. They obtained further personal information about the customer, accessed their account, and made changes to their password settings.
The customer noticed their account had been changed and contacted the finance business, which took steps to protect the customer’s account by applying warning notes on the account. Yet the other person was able to bypass these protections multiple times, make further changes to the customer’s information and used their account for unauthorised transactions.
The customer repeatedly said someone was accessing their account, and both using and making changes to their personal information. The finance business did not identify these concerns as privacy issues and only focussed on the fraud aspect of the customer’s concerns.
The affected customer raised a complaint with OPC.
Relevant privacy concerns
This matter raised several concerns under the Privacy Act 2020:
- Principle 5 states agencies must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.
- Principle 8 states that agencies must check before using or disclosing personal information that it is accurate, up to date, complete, relevant and not misleading.
- Principle 11 states that an organisation may generally only disclose personal information for the purpose for which it was originally collected. Sometimes other reasons for disclosure are allowed, such as disclosure, where an individual has consented to their information being shared or disclosure is necessary to prevent a serious threat to a person’s safety.
- Section 114 requires agencies to notify the Privacy Commissioner as soon as practicable after becoming aware of a notifiable privacy breach.
Our complaint investigation
We investigated the complaint and formed a preliminary view that the finance business had breached principles 5, 8, and 11. On that basis, we worked with the complainant and the finance business to resolve the issue, with the finance business taking steps to protect the complainant’s account and agreed to financial compensation for the emotional harm caused by the breach.
Although the specific complaint was resolved, we had wider concerns about the finance business’s privacy practices and so the matter was referred to our Compliance and Enforcement Team for review.
Compliance review into the privacy breach
On reviewing the matter, we identified that the finance business’s actions amounted to a notifiable privacy breach. As the agency had failed to report it to OPC, the requirements of the Privacy Act were not met.
We raised concerns about the limited customer verification steps to confirm the customer. This deficiency allowed the individual to obtain more details about the customer’s account and make several changes to the initial settings.
We also identified a failure to follow internal procedures by staff to verify the additional security placed on the customer’s account. This failure led to missing multiple times the additional password and warning notes that were place on that account.
A lack of understanding the overlap between fraud incidents and privacy breach incidents as well as unclear privacy incident management plans led the finance business to miss its statutory obligation for reporting this privacy breach incident to OPC. They were of the belief that because the individual already had details of the customer obtained elsewhere it was not a privacy matter and as the unauthorised transactions were reimbursed there was no harm caused to the customer.
In this case, the unauthorised access to sensitive financial information created a high likelihood of harm for the customer, not only financial but also emotional harm due to the significant stress the customer experienced after seeing their account was bypassed multiple times. We determined the finance business breached the Privacy Act.
Compliance response
We considered our compliance options for the breaches of the Privacy Act using our Compliance and Enforcement Regulatory Action Framework.
In this case, the finance business engaged productively with both OPC and the affected individual. We took into consideration its willingness to learn and acknowledgement that it failed to comply with the Privacy Act. They immediately took steps to improve its processes in relation to customer verification checks as well as conducting privacy training for all staff.
We instructed the finance business to meet its statutory obligation and notify the privacy breach incident to OPC as well as review its privacy breach management plans and share the reviewed documents with OPC.
Conclusion
Fraud is a growing problem in the finance industry, and it raises significant privacy concerns, primarily due to the sensitive nature of financial information and the potential for privacy breaches. These breaches can compromise customer information, leading to financial loss, reputational damage, emotional harm, stress, anxiety and violation of privacy.
Finance businesses such as banks and lending institutions are common targets for fraud and often hold large volumes of sensitive personal information. In some cases, staff may inadvertently disclose personal information in response to fraudulent requests, potentially breaching the Privacy Act.
This incident highlights the importance of robust identity verification in high-risk sectors and compliance with statutory obligations under the Privacy Act.
