When is fraud also a privacy breach?

A finance business recently found itself under scrutiny after a fraud incident exposed significant gaps in its privacy practices, including a failure to notify the Privacy Commissioner as required under the Privacy Act.

A caller pretending to be a customer was able to mislead staff, access the customer’s account, and make unauthorised changes and transactions. Not once, but multiple times. Even though the customer raised repeated concerns that someone was accessing and using their personal information, the business only treated it as a fraud issue.

But here is the thing. If someone uses personal information to gain access to accounts, bypass security, and cause harm, it is not just fraud. It is a privacy breach too.

The Privacy Commissioner ultimately found breaches of Principle 5 (security safeguards), Principle 8 (accuracy), and Principle 11 (unauthorised disclosure), and criticised the business for failing to recognise its obligation to report the breach.

What can we learn from this?

▪️ Fraud and privacy often go hand in hand. Do not silo your response. Assess both.

▪️ Breach reporting is not optional. If there is a risk of serious harm, notify OPC promptly.

▪️ Identity verification is critical. Robust checks could have stopped this at the first call.

▪️ Internal training and procedures matter. Multiple opportunities to stop the breach were missed.

Privacy obligations are not just a compliance exercise. They are essential to maintaining trust, protecting your customers, and safeguarding your business.

If your business is in a high-risk sector or handles sensitive information, now is the time to review your privacy breach response plan and your staff training.

Case reference: CE03162 [2025] NZPrivCmr2

#PrivacyAct #NZPrivacyLaw #PrivacyBreach #FraudPrevention #FinanceCompliance #DataProtection #PrivacyTraining #CustomerTrust #OBrienLegal #PrivacyLawyerNZ