The regulator had to shut down its website last week after it made public emails from and to Gareth Dobson, a business insurance adviser, and mortgage broker firm Finsol.

They related to a former adviser, Daniel Carlyon.

The Financial Service Providers Register indicates that Carlyon previously worked for Finsol but has since deregistered. After Finsol, he worked at Aspire Advisors in Auckland.

Dobson told media that he had never given the FMA permission to make his emails public.

FMA chief executive Rob Everett said the issue was rectified immediately when the regulator became aware of it. The FMA has identified six cases where sensitive personal information provided to the regulator may have been accessed.

It contacted the people involved to advise them of the issue and any further steps they should take to protect their information.

A preliminary review has identified 27 instances where documents that supported complaints were accessed by internet searches. The documents were inadvertently uploaded to a portal on the FMA website. Of these, six contained sensitive personal information such as financial information. The remaining documents were either already publicly available or did not include any sensitive personal information.

“We apologise to those people who supplied us with information and also to the wider public for this error. Their trust and confidence is critical to us,” Everett said.

“We have reviewed what files were uploaded in this way, what information they contained, and contacted those people whose sensitive personal information may have been accessed.

“We are working hard to ensure we get to the bottom of the issue.”

He said the issue related to documents that were provided to the FMA several years ago, and the FMA was still investigating the circumstances. An initial review indicated that information supplied through an online complaints form between 2015 and 2017 flowed into a folder holding information to be uploaded to the FMA website.

At no point was the information ever linked to public content on the FMA website, nor could it be located by browsing the website.

All but two of the documents were accessed following a change in automated search algorithms on September 30. The FMA believes this is related to ordinary enhancements to search engine algorithms, which took place around that time.

The FMA has worked closely with the relevant government agencies and departments, and has engaged KPMG to assist in its investigations into the cause and extent of the incident.

Everett said a full review of the issue would be conducted by an independent external party.

As a precautionary step, the FMA has removed the ability to upload complaints information via the website.

Financial Advice New Zealand chief executive Katrina Shanks said anywhere there was a breach was concerning but in the case of the Financial Markets Authority, the information that people handed over was given as part of mandatory disclosure.

“It’s not like it’s a choice whether to share information, it’s not. That’s the difference.”

She said the association would ask the FMA what happened and how it would stop a recurrence in future. “It’s a significant breach.”

She said any government department needed to have processes and systems in place to protect people’s privacy and the industry needed to be able to have faith in the system.

On its website, the FMA says: “The Financial Markets Authority is committed to ensuring your privacy is protected.

“Any personal information you provide to us will be held and used only in accordance with the Privacy Act 1993. We may disclose personal information to authorised third parties of information assurance services."