Tomra layoffs: Data leak exposes more than 100 staff payslips, Compac personal details

Executive vice-president of Tomra Food, Harald Henriksen.

A privacy breach at Tomra has led to payslips with personal details being widely shared, soon after some of those employees were laid off.

The food processor’s breach involved Compac Sorting Equipment staff being able to see their colleagues’ payslips.

Leaked information from the breach appeared to show individual employee names, tax codes, IRD numbers, salaries, bank account numbers, taxable earnings, and holiday entitlements.

One former employee said the breach included details for about 120 people.

The Office of the Privacy Commissioner confirmed that Compac reported parent company Tomra’s breach on February 15.

“As with any breach, Compac need to investigate to fully ascertain the size and scope of the breach. Our focus has been to provide agencies who have experienced a breach with advice on how to minimise the harm caused by the breach.”

The commissioner’s office said it was up to Compac to provide any more details about the breach.

“Privacy breaches are a very serious event, which is why we frequently say that businesses need to treat privacy with the same seriousness as health and safety or prudent financial reporting.”

A former Tomra employee said he discovered that his and more than 100 other employees’ payslip inflation was shared by email.

“For now we don’t know the extent of the leak of the information,” he told the Herald.

“I do not need the stress right now.”

A Kerikeri packing facility using the Compac Sizer, seen in 2020. Photo / Peter de Graaf

Some of the affected employees were already dealing with layoffs.

Tomra in December said it would keep “hubs” in Auckland and the Bay of Plenty but shut down Auckland and Hamilton operations.

The former Tomra worker said the privacy breach created a lot more hassle for him.

“I’ve called the IRD. I’ve called my bank. By the way, Tomra is not advising anybody to call the bank,” he added.

He said Tomra should issue a public apology.

“I want them to go public and ... keep me informed of the steps that they are taking and I want that to be done on a weekly basis.”

He also wanted compensation for the hours spent since the breach trying to protect his identity, contact agencies, and gather information from other affected workers.

“Ultimately, I am unemployed. I need to be carefully managing my finances.”

He said some people had just been coming to terms with redundancies and hoping to move on but the privacy breach was an insult after already difficult times.

“It’s painful. The situation is so appalling.”

Tomra has been approached for comment.

‘Severe’ breach of privacy

Employment law expert Max Whitehead said the payroll debacle sounded like a “pretty severe violation of the Privacy Act”.

The Whitehead Group managing director said based on available evidence, workers in this situation could sue their employer using the Privacy Act.

If payroll details were disclosed, it made no difference if the affected people were current or former employees.

Even if Tomra instructed the staff to return all the information immediately, it was still in a vulnerable position, Whitehead said.

“If it’s accidental, there’s got to be a degree of forgiveness.”

But Whitehead said the leak was still likely to be problematic - and very embarrassing for at least some of the roughly 120 employees.

If people were on collective agreements, their salary would not be much of a surprise to colleagues.

Most New Zealand workers were on individual agreements and likely to expect privacy around pay and salary, Whitehead said.

A maximum penalty of $10,000 was available per employee, he added.

“The Privacy Act is terribly inadequate in terms of remedies.

“There should be severe lessons learned for all corporates in regards to protecting people’s private information.”

Internal email

An email ostensibly sent from a company finance director to affected workers indicated payslips were sent to several different payrolls, although not all employees were affected.

“Unfortunately, you were impacted and we sincerely apologise to you and everyone affected by this breach,” the email added.

He said “security experts” were looking into the matter.

The email asked employees to delete the mass of payslips, and not look at their colleagues’ details.

It said Tomra had notified the Privacy Commissioner about the breach, and employees worried about compromised IRD numbers should contact Inland Revenue.

The email also said an employee assistance programme was available.

Layoffs

Tomra acquired Compac Holdings in 2016.

In December, Tomra Food executive vice-president Harald Henriksen said the restructure would cause 200 job losses nationwide this year.

Some workers were offered jobs with the company overseas and help to move abroad.

John Weekes is online business editor. He has covered some of New Zealand and Queensland’s most high-profile court cases and trials, as well as politics, breaking news and consumer affairs.