Inside the police breach that exposed 1000 sensitive criminal case files
Inside the police breach that exposed 1000 sensitive criminal case files
Isaac Davison
Isaac Davison
March 7, 2026 • 3:00pm
Copy Link
Just In
Real estate agent stole cash from till while working as a bar manager
3:00 PM
Teacher who had chair pulled out from under her still in pain more than a year later
3:00 PM
‘We’re pretty nervous’: This is what farmers fear will happen to your grocery bill
3:00 PM
Police discovered the huge privacy breach just before the summer holidays. Photo: Ricky Wilson / Stuff
Quality journalism like Isaac Davison's takes time, persistence and the freedom to follow facts. If you value that work, contribute to Stuff.
Learn more
A software glitch just before Christmas led to sensitive police documents being sent out without redactions. Newly-released documents show the scale of the fault and the urgent damage control by police staff.
The full scale of a privacy breach within NZ Police and the rush to contain it over the holiday period has been revealed in newly-released documents.
In all, information from more than 1000 sensitive police investigations was found to have been accidentally disclosed to defence lawyers.
In around 80 of these cases, sensitive information about victims was then forwarded to the defendant, raising potential safety concerns.
In December, a “technical issue” in the police’s Investigation Management Tool (IMT) led to the disclosure documents being sent to defence lawyers with information which was meant to have been redacted but was visible.
ADVERTISEMENT
Advertise with Stuff
ADVERTISEMENT
Advertise with Stuff
The information included names and addresses of complainants in criminal cases, prompting defence lawyers to describe the error as an “ absolute nightmare”.
Got a tip for us to investigate?
Email us securely at [email protected]
contact our team
Documents released under the Official Information Act show that police notified the Privacy Commissioner of the breach on December 16. A senior advisor at New Zealand Police wrote that the breach had been identified the previous day but it might have been occurring for nearly two weeks.
“Worst case scenario approximately 12,000 individual documents could be impacted across approximately 950 investigations,” the advisor told the commissioner’s office. “Police are currently working to determine how many of these documents have been impacted.”
The advisor said police “partially” knew where the documents had been sent and warned that defence lawyers might have already forwarded the sensitive material to defendants. All forwarding of disclosure documents was halted at the time until police could fix the problem.
Two days later, police sent another notification to the Privacy Commissioner, saying they had identified the cause of the problem: a third-party software upgrade. They had also narrowed down the number of files possibly affected: 6000 documents in 700 criminal cases.
Privacy Commissioner Michael Webster. Photo: ROBERT KITCHIN / The Post
The task of identifying which sensitive documents had been shared: the advisor noted that this had to be done manually and would “take some time to fully work through”. The timing of the breach was also significant. It was mid-December and lawyers were heading off on holiday for the shutdown period.
ADVERTISEMENT
Advertise with Stuff
ADVERTISEMENT
Advertise with Stuff
Later that day, Detective Inspector Warren Olsson, from the National Criminal Investigations Group, contacted all police staff whose investigations had been affected by the fault.
They were told to review all of the disclosure documents they had sent to check if the breach could compromise their investigations or anyone’s safety or privacy. They were also asked to tell defence lawyers to delete the documents or send them back.
Olsson told police investigators to warn lawyers that it was against the law to disclose information that could put a person at risk.
If any documents had been passed on to third parties, police staff were told to tell their supervisors urgently and determine whether the victims needed to be notified.
An update to the Privacy Commissioner on December 23 said that defence lawyers had passed on highly sensitive information on 12 occasions. A panel was set up at Police National Headquarters in Wellington to assess the risk of harm in these cases and to notify the individuals involved.
Journalism like this takes a lot of dedication and resources. Support our work.
Learn more
On Christmas Eve, the Privacy Commissioner asked police to provide details about the risks of harm in each of the 12 privacy breaches discovered so far.
“We are particularly interested in cases where risks of physical harm or threats of harm are present.”
ADVERTISEMENT
Advertise with Stuff
ADVERTISEMENT
Advertise with Stuff
The police advisor did not provide details in their response, saying they were still working through all the documents. Police staff would be working over the shutdown period to make sure the high-risk cases were dealt with, they confirmed.
By mid-January, a picture of the breach had become clearer. Police had found that disclosure “packages” in 1037 cases contained information which should have been redacted.
On Friday, Ollson told Stuff that all 1037 cases had been resolved by investigators. In all, police had found 83 cases in which a person had - or may have had - their privacy breached.
“Police is in the final stages of completing the risk assessments and updating the Office of the Privacy Commissioner,” he said.
Chief Victims Advisor Ruth Money. Photo: LAWRENCE SMITH / Stuff
Chief Victims Advisor Ruth Money told Stuff on Friday she was concerned about the breach and had spoken to police in December out of concern about the potential risks for victims.
“They kept me abreast of the issue and there were no reported victim issues,” she said.
Isaac Davison
Isaac Davison
March 7, 2026 • 3:00pm
Copy Link
Just In
Real estate agent stole cash from till while working as a bar manager
3:00 PM
Teacher who had chair pulled out from under her still in pain more than a year later
3:00 PM
‘We’re pretty nervous’: This is what farmers fear will happen to your grocery bill
3:00 PM
Police discovered the huge privacy breach just before the summer holidays. Photo: Ricky Wilson / Stuff
Quality journalism like Isaac Davison's takes time, persistence and the freedom to follow facts. If you value that work, contribute to Stuff.
Learn more
A software glitch just before Christmas led to sensitive police documents being sent out without redactions. Newly-released documents show the scale of the fault and the urgent damage control by police staff.
The full scale of a privacy breach within NZ Police and the rush to contain it over the holiday period has been revealed in newly-released documents.
In all, information from more than 1000 sensitive police investigations was found to have been accidentally disclosed to defence lawyers.
In around 80 of these cases, sensitive information about victims was then forwarded to the defendant, raising potential safety concerns.
In December, a “technical issue” in the police’s Investigation Management Tool (IMT) led to the disclosure documents being sent to defence lawyers with information which was meant to have been redacted but was visible.
ADVERTISEMENT
Advertise with Stuff
ADVERTISEMENT
Advertise with Stuff
The information included names and addresses of complainants in criminal cases, prompting defence lawyers to describe the error as an “ absolute nightmare”.
Got a tip for us to investigate?
Email us securely at [email protected]
contact our team
Documents released under the Official Information Act show that police notified the Privacy Commissioner of the breach on December 16. A senior advisor at New Zealand Police wrote that the breach had been identified the previous day but it might have been occurring for nearly two weeks.
“Worst case scenario approximately 12,000 individual documents could be impacted across approximately 950 investigations,” the advisor told the commissioner’s office. “Police are currently working to determine how many of these documents have been impacted.”
The advisor said police “partially” knew where the documents had been sent and warned that defence lawyers might have already forwarded the sensitive material to defendants. All forwarding of disclosure documents was halted at the time until police could fix the problem.
Two days later, police sent another notification to the Privacy Commissioner, saying they had identified the cause of the problem: a third-party software upgrade. They had also narrowed down the number of files possibly affected: 6000 documents in 700 criminal cases.
Privacy Commissioner Michael Webster. Photo: ROBERT KITCHIN / The Post
The task of identifying which sensitive documents had been shared: the advisor noted that this had to be done manually and would “take some time to fully work through”. The timing of the breach was also significant. It was mid-December and lawyers were heading off on holiday for the shutdown period.
ADVERTISEMENT
Advertise with Stuff
ADVERTISEMENT
Advertise with Stuff
Later that day, Detective Inspector Warren Olsson, from the National Criminal Investigations Group, contacted all police staff whose investigations had been affected by the fault.
They were told to review all of the disclosure documents they had sent to check if the breach could compromise their investigations or anyone’s safety or privacy. They were also asked to tell defence lawyers to delete the documents or send them back.
Olsson told police investigators to warn lawyers that it was against the law to disclose information that could put a person at risk.
If any documents had been passed on to third parties, police staff were told to tell their supervisors urgently and determine whether the victims needed to be notified.
An update to the Privacy Commissioner on December 23 said that defence lawyers had passed on highly sensitive information on 12 occasions. A panel was set up at Police National Headquarters in Wellington to assess the risk of harm in these cases and to notify the individuals involved.
Journalism like this takes a lot of dedication and resources. Support our work.
Learn more
On Christmas Eve, the Privacy Commissioner asked police to provide details about the risks of harm in each of the 12 privacy breaches discovered so far.
“We are particularly interested in cases where risks of physical harm or threats of harm are present.”
ADVERTISEMENT
Advertise with Stuff
ADVERTISEMENT
Advertise with Stuff
The police advisor did not provide details in their response, saying they were still working through all the documents. Police staff would be working over the shutdown period to make sure the high-risk cases were dealt with, they confirmed.
By mid-January, a picture of the breach had become clearer. Police had found that disclosure “packages” in 1037 cases contained information which should have been redacted.
On Friday, Ollson told Stuff that all 1037 cases had been resolved by investigators. In all, police had found 83 cases in which a person had - or may have had - their privacy breached.
“Police is in the final stages of completing the risk assessments and updating the Office of the Privacy Commissioner,” he said.
Chief Victims Advisor Ruth Money. Photo: LAWRENCE SMITH / Stuff
Chief Victims Advisor Ruth Money told Stuff on Friday she was concerned about the breach and had spoken to police in December out of concern about the potential risks for victims.
“They kept me abreast of the issue and there were no reported victim issues,” she said.
