Tomra layoffs: Data leak of 142 people came a few months after cyber attack

Harald Henriksen, executive vice president of Tomra Food.

Up to 142 people had payslips leaked in the Tomra-Compac data breach just a few months after the company praised itself for a “swift response” to a cyber attack.

And the system blamed for this month’s payslip fiasco has been killed off, according to communication from Tomra executives to some staff.

A Tomra executive this week told affected people a technical error caused payslips of up to 142 people on the Compac Sorting Equipment payroll to be sent to 60 New Zealand-based employees.

In an email, Tomra said to prevent the chances of another breach, it would now use a new system which Deloitte cyber experts had tested.

That system was itself set up after a damaging mid-2023 cyber attack linked to Tomra’s Montreal location, in which a hacker gained access through compromised Tomra accounts.

In late September, the company claimed it had “promptly isolated affected systems, limiting the attack’s impact and ensuring the safety of its data”.

But the recent payslip breach disclosed individual employee names, tax codes, IRD numbers, salaries, bank account numbers, taxable earnings and holiday entitlements.

One of the staffers who received the unintentionally disclosed information today said Tomra’s response had been inadequate.

Some of those affected had been laid off after the company announced redundancies.

Tomra has not responded to requests for comment.

The Office of the Privacy Commissioner confirmed Compac reported parent company Tomra’s breach on February 15.

“Privacy breaches are a very serious event, which is why we frequently say that businesses need to treat privacy with the same seriousness as health and safety or prudent financial reporting,” the commissioner’s office said in a statement.

Employment law advocate Max Whitehead said the payroll debacle sounded like a “pretty severe violation of the Privacy Act”.

But Whitehead said maximum penalties of $10,000 per person for such privacy breaches were inadequate.