In late September, the company claimed it had “promptly isolated affected systems, limiting the attack’s impact and ensuring the safety of its data”.
But the recent payslip breach disclosed individual employee names, tax codes, IRD numbers, salaries, bank account numbers, taxable earnings and holiday entitlements.
One of the staffers who received the unintentionally disclosed information today said Tomra’s response had been inadequate.
Some of those affected had been laid off after the company announced redundancies.
Tomra has not responded to requests for comment.
The Office of the Privacy Commissioner confirmed Compac reported parent company Tomra’s breach on February 15.
“Privacy breaches are a very serious event, which is why we frequently say that businesses need to treat privacy with the same seriousness as health and safety or prudent financial reporting,” the commissioner’s office said in a statement.
Employment law advocate Max Whitehead said the payroll debacle sounded like a “pretty severe violation of the Privacy Act”.
But Whitehead said maximum penalties of $10,000 per person for such privacy breaches were inadequate.