Inland Revenue has apologised after personal details of nearly 30 customers were incorrectly released last week.
Deputy Commissioner Service Delivery Arlene White said a preliminary internal investigation has indicated the incident may have been caused by a manual handling error.
"We process in excess of 25 million transactions and correspondence every year and regrettably errors can occasionally occur," White said.
"We have contacted the recipient of this information and our highest priority is the return of the information.
"We are also contacting the customers whose information has been released to apologise and letting them know the steps we are taking to remedy the situation."
"Inland Revenue is committed to ensuring that all personal information is secure and customer privacy is maintained at all times.
"The mail handling processes that may have led to the error are being reviewed as a matter of urgency. We will also be talking with our staff about our processes for handling correspondence and the need for extreme care to be taken at all times," she said.
Labour's revenue spokesperson David Clark says the blunder is worrying.
"IRD's privacy breach is a seriously worrying development. We've learnt from the ACC case that one privacy breach is often just the beginning and the problem can be deep within the culture of the organisation," he said.
"In February even John Key admitted the IRD is an agency that is struggling, saying it is being 'held hostage to a lack of technology'. In the two weeks ahead of the tax return deadline 70,000 phone calls to the IRD went unanswered. It is a tax collection agency that has around $7 billion of tax yet to collect. It will cost $1 - 1.5 billion to upgrade its computer systems. There would be no surprise if privacy structures are neglected.
"This Government has a shonky record on privacy. The ACC privacy debacle saw a breach of 6,000 people's privacy on incredibly sensitive issues. I await with interest the Privacy Commissioner's views," Clark said.
Inland Revenue is undertaking a full investigation and the incident had been referred to the Privacy Commissioner.