On 19 March 2025 one of our clients notified us that clients that did not belong to them were displayed on there account. As the screenshot shows, the name, template and basic information of the client was exposed. However, no detail on the firm doing the audit or sensitive data was displayed.
When the client itself was clicked, it would give the user an error, so the details you see in that page is all that was visible.
The issue was promptly found and resolved. We believe it was an issue for that afternoon, approximately 5 hours (11.55am - 5.13pm).
We carried out an assessment using the Privacy Commissioner online assessment tool. The results were as follows:
Sensitivity of information: Not sensitive
Recipient of information: Someone unlikely to cause harm
Types of harm: No harm likely
Likelihood of harm: Unlikely
Attempts to reduce harm: The problem that caused this breach was fixed
Security measures: Yes
No further work was deemed necessary.