King’s High School student Toby Holland, 16, said he was taken aback to see his phone number, email and home address published online in a CV he had sent New Zealand Aged Care.
Toby questioned how the company, which runs care homes and villages across New Zealand, managed other sensitive information.
"So, obviously, they can't keep CVs. What can they do with actual medical files?"
After Toby approached the Otago Daily Times on Tuesday night, the ODT found thousands of CVs were publicly accessible on NZ Aged Care’s website.
The company said the issue had been resolved and affected parties were being notified.
Toby had applied to be a casual kitchen hand at the company’s Dunedin facility about a month ago but was unsuccessful.
He and his parents were "shocked and surprised" to discovered his CV — and accompanying personal information — was available after an internet search of his name on Tuesday.
"It wasn't just me, it was even worse," Toby said.
"It was thousands of people. Basically the last two or three years of applicants, everything was just there for anyone to see."
He and his father had contacted New Zealand Aged Care about the issue on Tuesday; yesterday morning, the company thanked Toby for bringing the matter to its attention, told him it was resolved and apologised for any inconvenience.
Toby felt a more thorough apology and proof of information-system changes would have been nicer.
"To basically make sure that it doesn't happen again ... to anyone, ever."
A challenging job market could be made "very daunting" when companies were unable to keep sensitive information private, he said.
"The fact that no-one else has ever thought to look up their name or ever stumbled across it is quite insane."
CVs seen by the ODT were from national and international applicants and included phone numbers, emails, addresses and referee contact details.
They were sorted by month — 414 were available from January alone.
Other information, including a letter of recommendation for an Auckland intermediate school pupil dated February last year, was also available on the website.
The documents were unable to be accessed yesterday morning and much of the company’s website was offline yesterday evening.
Managing director Peter Leathem said the company was aware of the website issue and it had been resolved.
"New Zealand Aged Care is in the process of notifying the Privacy Commissioner and affected individuals in accordance with its obligations at law."
He did not answer other questions from the ODT, including how many people were affected, how long the information was publicly available, how the breach happened or if an apology was forthcoming.
A spokesperson from the Office of the Privacy Commissioner said any organisation or business which had a privacy breach causing, or likely to cause, serious harm must notify the commissioner and any affected people as soon as possible.
"OPC would expect it to be New Zealand Aged Care who would provide any detail they would want to share in such a situation," they said.
They did not specifically say if the office had been notified.
