The victim lost $300,000 in a scam. Now, sensitive details about her case have been sent to a third party in a serious privacy breach involving the Banking Ombudsman’s office. Photo / Dean Purcell
A scam victim who lost $300,000 to criminals was “horrified” to learn highly sensitive details about her case were mistakenly sent to a third party in a serious privacy breach involving the Banking Ombudsman’s office.
At least three emails meant for the woman – containing details about the fraud and “your bank customer notes” – were mistakenly forwarded by Banking Ombudsman staff to a similar, but different, email address.
The material includes an eight-page document with extensive notes about the victim’s banking history from November 2022 to February 2024.
It lists address, email and phone contacts, driver’s licence and bank account details, reference to a “special care” code added to her file after being defrauded, and multiple late payment warnings.
AdvertisementAdvertise with NZME.
The matter has been referred to the Privacy Commissioner.
The woman said she was stunned by the blunder, which had shaken her confidence in the watchdog’s complaint resolution scheme.
“I was absolutely horrified.
“I just thought, ‘What a bunch of idiots’. They couldn’t even get my email right. How am I supposed to have any trust in the system?”
AdvertisementAdvertise with NZME.
The Herald has previously reported that Kiwibank staff helped the victim transfer $300,000 to fraudsters after she visited a North Island branch in person in November 2022.
She thought she was investing in Barclays Bank bonds though a Citibank investment scheme. In fact, it was a scam and none of the money was ever recovered.
The woman claims the bank manager who helped process the payment did not question her about whether it could be subject to fraud.
“She basically said, ‘Sign it’ and stamped it, and that was it.”
The huge money transfer came just months after the Financial Markets Authority issued a public warning about the Citibank-branded scam.
The victim hired law firm Meredith Connell, which has accused the state-owned bank of failing to detect suspicious or illegal activity.
The woman’s lawyers lodged a complaint with the Banking Ombudsman before Christmas accusing Kiwibank of negligence, and they have been waiting for a final determination.
However, a bombshell email in April from Banking Ombudsman staff delivered a distressing update and mea culpa.
“I am sorry to be needing to contact you about a breach of your privacy,” the email began.
It explained that while sending correspondence to the woman’s lawyer about her case, staff had copied in the victim. But “unfortunately we made an error with your email address”, sending three separate emails to the wrong recipient.
AdvertisementAdvertise with NZME.
The emails contained an information request to Kiwibank about the fraud and the victim’s customer notes.
After realising the error, Banking Ombudsman staff emailed the “wrongful recipient” asking them to delete the information but had not received a response.
“At this stage we do not know who the owner of that email address is, or whether it is in use – though the emails were not returned as undeliverable.
Banking Ombudsman Nicola Sladden’s office has apologised after a staffer sent sensitive information about a scam victim to the wrong email address.
“We will be reporting the breach to the Privacy Commissioner in line with our obligation to do so. Again, we would like to say sorry for our mistake.”
In a statement, a Banking Ombudsman Scheme spokeswoman said the privacy breach was due to “human error”.
There was no evidence to suggest the woman’s information had been misused and the Privacy Commissioner had now closed the file “on the basis that the steps we had taken were a reasonable and sufficient response”.
AdvertisementAdvertise with NZME.
“We are undertaking a review of our processes and while this review is taking place, have reminded staff about the importance of checking addresses before sending emails and of copying addresses from incoming emails, rather than typing them out.
“We apologise unreservedly for what happened and regret the distress this incident has caused.”
The spokeswoman assured the victim they were taking her complaint against Kiwibank seriously and undertaking a “thorough investigation”.
Meanwhile, the victim says she is frustrated by delays in determining her complaint, after Banking Ombudsman staff indicated last week they were still awaiting additional information requested from Kiwibank.
The victim said it had now been six months. She felt Kiwibank was “dragging the chain” and not prioritising her case.
“They’ve had so long to get this information together. I’m really p***ed off. Are they all on holiday?”
AdvertisementAdvertise with NZME.
Kiwibank said it “continues to work with the Banking Ombudsman Scheme” to provide the additional information requested.
The bank stressed that it took its obligations seriously and aimed to respond in a timely manner.
Lane Nichols is a senior journalist and deputy head of news based in Auckland. Before joining the Herald in 2012, he spent a decade at Wellington’s Dominion Post and Nelson Mail.