Case notes information taken has value to those interested in identity fraud
New Zealand’s High Court saw a clear prima facie case that the use, dissemination, or mere retention of data stolen from a neighbourhood community notice board would breach a duty of confidence owed to the platform operator and verified members.
Neighbourly Limited – the applicant in Neighbourly Limited v Unknown Defendants [2026] NZHC 1 – hosts an online platform for neighbours to connect, share information, discuss issues, trade items, and organise events.
Verified members should give Neighbourly, as the platform operator, a range of personal information. Neighbourly profiles include members’ posts, real names, and addresses, generally viewable by fellow verified members within the neighbourhood.
Members can opt to hide their street number, post messages to restricted groups or neighbourhoods, or send messages to individual members. Neighbourly seeks to hold the members’ information confidentially.
On 1 January 2026, Neighbourly learned that someone had listed for sale on the dark web a database of members' information, including their contact details, platform interactions, and direct messages.
Neighbourly temporarily shut down its platform to conduct an investigation, which revealed a system vulnerability and an occasion involving the download of 150 GB of data from its system. Neighbourly tackled the vulnerability and reopened its platform.
Neighbourly’s counsel confirmed that it had notified its members, the Office of the Privacy Commissioner, and the National Cyber Security Centre of the data security breach.
On 5 January 2026, Neighbourly brought a without notice application seeking orders requiring ‘unknown defendants’ to delete and otherwise refrain from dealing with data stolen from its platform.
The High Court of New Zealand granted Neighbourly’s application and deemed it appropriate to grant its requested orders.
The court determined that this case met the threshold for interim relief on a without notice basis. The court held that the possibility of the stolen data’s imminent and anonymous sale justified urgently handling Neighbourly’s application without notice.
The case noted that the downloaded data would be valuable to anyone interested in engaging in identity-related fraud.
The court explained that the temporarily unknown identity of suitable defendants would not impede granting the application because the issued orders’ terms could address anyone who might possess, obtain, or control the stolen data.
The court concluded that the balance of convenience squarely favoured preventing the stolen data’s access, use, or dissemination.
