Outcomes - Selected Case Summaries



Spreadsheet data tool causes utility emails to be sent to wrong customers

Informal Resolution | 15 July 2021

A major utility mistakenly sent delinquency emails and form letters containing personal data to unintended recipients via a mail merge process based on the erroneous use of a data tool in a spreadsheet. The data involved the names, addresses, account numbers, account balances and delinquent balances of 123 individuals. Customers who did not use email as their primary contact were unaffected.

During our investigation the Ombudsman had to issue an information order before getting a delayed but comprehensive response from the data controller. It appeared that incorrect contact details were merged with customer account details when the mail merge was executed, resulting in the breach.

The data controller took a number of technical steps to prevent a similar breach from re-occurring, including limiting the data presented in disconnection notices to strictly necessary data such as customer account numbers and delinquent balances.