The NZ Institute of Directors has taken its website offline after it was defaced by a hacker - and it has warned its members to change their passwords in case they were compromised.

Ironically, the Institute - whose members sit on the boards of some of New Zealand's largest companies - has put a lot of energy recently into educating its members about cybersecurity risks, and how to prepare for them.

But its chief executive, Kirsten Patterson, told the Herald that the incident simply proves her point that online threats are very real.

"This situation highlights the importance of boards discussing cybersecurity issues and having disaster recovery and communications plans in place," she said.


Patterson said it did not appear that the hacker, "Vanda the God" was targetting the IoD directly.

Instead, the Institute was hit in a global spray of attacks of global by the hacker, which also hit sites in the US, the UK and the Americas according to US media reports and a brag list on Vanda the God's Twitter account, which remains active.

A generic anti-authoritarian message was left on all of the sites: "Join the revolution. Tell your government to f--- off," along with a middle finger and a person wearing the mask often associated with the hacker group Anonymous.

Most of the sites targetted by Vanda are government sites. Patterson says it's possible the hacker - who appears to be based in Brazil - mistook the IoD for an NZ government site - or that it just got caught up in a very broadly targetted campaign.

The Institute has been told by one of its technology partners "that there is a small but highly unlikely chance a list of emails and potentially passwords may have been compromised," Patterson said.

"While we do encrypt this information, we are taking a highly cautious approach and will be asking members to reset their IoD passwords. There were no issues identified with any other information being accessed."

Patterson added, "We're just pleased it was discovered quickly and that we were able to respond."

An update to the Privacy Act, currently making its way through Parliament, will make it mandatory to report data breaches.


Patterson said the Institute had informed its members as soon as possible regardless of its possible data breach as part of its core principle of transparency.