Lion confirms a cyber-attack first reported by the Herald on Monday is a ransomware attack - where hackers seize control of data or systems then demand a ransom that often runs to millions.

Toll says data stolen in second ransomware attack within months
Air NZ service provider Travelex held to ransom by hackers demanding $8.5m
Hackers post sensitive F&P Appliances files to the dark web

The brewing giant and bar owner has taken systems offline as a precaution - hitting both manufacturing and customer orders.

Supplies are now running low at a number of outlets. This morning, the company confirmed that plans to ramp-up brewing for level 1 had been thwarted by the ransomware attack - but said customers could still reorder online or by phone.


"Our teams are working as hard as they can to service customers and suppliers, implementing new manual processes and investigating all alternative options," a Lion spokeswoman said.

"We recognise this is imperfect and is causing disruption to our valued partners.

"Throughout the Covid-19 shutdown, we were able to continue to brew beer safely.

"We had stock at hand and were gearing up to increase brewing. This attack has delayed those plans, and we're working to bring our breweries back online as soon as possible.

"We had been hoping to have full access restored by now, but unfortunately this process is taking longer than we hoped."

There is no evidence that any of the information contained in Lion's system, including financial or personal information, has been affected, "but this is something that we will review closely as we continue to investigate the incident".

Subscribe to Premium

Lion was working with law enforcement authorities and had alerted the Privacy Commissioner.

Lion's stable on this side of the Tasman includes beer brands Lion Red, Speights and Steinlager, Lindauer and Wither Hills wine, Havana Coffee Works and the partially-owned Mt Difficulty and Good Buzz kombucha. In Australia, its business lines include a dairy operation and beer brands including XXXX Gold and Toohey's. It also owns craft beer maker and eatery Little Creatures, which brews on-site at various locations including Hobsonville Pt, Auckland.


One manual workaround, now fixed, saw Lion inadvertently send Australian customers wishing to order milk to the phone number for a Sydney-based cyber-security consultancy called Cliffside Security (which was quick to point out it was not involved in the security breach).

Ransomware surge

The Lion incident is just one of a rash of ransomware attacks on corporate targets.

Toll Group has been hit twice this year. Air NZ currency exchange partner TravelEx was hit in January and Fisher & Paykel appliances is in the midst of a ransomware attack that has seen a number of its sensitive files published to the dark web as a criminal gang ramps up the pressure for it to pay up.

Honda's global operation and BlueScope steel in Australia have been other recent targets.

Peter Bailey, MD of local security outfit Aura, told the Herald that ransomware attackers were exploiting the Covid-19 outbreak, with emails purporting to contain coronavirus information actually linking to malicious software that enabled attackers to take over a network.

What to do if you're hit by ransomware

New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.


CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.

CERT director Rob Pope and police both advise against paying up on a ransomware demand, even if the sum involved is modest.

They say there is no guarantee that data will be returned, or unlocked. They also caution that while paying a small ransom can be convenient, the money can help fund Eastern European gangs who are also involved in the likes of drug and human trafficking.

New Zealand's Privacy Act has no requirement for organisations to report a data breach to authorities or customers, but a revamp of the legislation, currently before Parliament includes mandatory disclosure provisions.