Privacy Commissioner Michael Webster is planning an investigation after Wellington-based IT provider Mercury IT was hit by a ransomware attack - potentially compromising sensitive data it hosts for multiple clients, including health insurer Accuro, BusinessNZ, the NZ National Nurses Association and the Ministry of Justice, with 15,000 Coroners Court files taken out.
The GCSB’s National Cyber Security Centre said government agencies whose data has been impacted include some providers contracted to Te Whatu Ora, Health NZ. The incident has not impacted the delivery of health services, the NCSC said.
The NCSC is leading the response, supported by the police and Cert NZ. The Herald first reported elements of the attack last Friday.
“There has been a cyber security incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand,” the Privacy Commissioner’s office said.
“This is an evolving situation. We were notified of the cyber security attack on November 30. Urgent work is underway to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system.
“The Office of the Privacy Commissioner is planning on opening a compliance investigation into this incident so that it can make full use of its information-gathering powers. We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”
In a statement, Mercury IT director Corry Tierney said:
“On 30 November 2022, we became aware that we were the victim of a cyber-incident after a malicious and unauthorised actor gained access to our server environment. This was immediately escalated to senior management. The incident was raised with relevant Government authorities, and we have engaged external specialist support. Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment. We are committed to supporting our impacted clients with their own investigations wherever possible and we apologise, sincerely, for the impact this attack has caused.”
Through a spokesman, Tierney refused to answer any questions.
“We cannot provide further information on the impact and our mitigation at this time as the actors behind this incident, or others, can leverage any publicly available information,” he said.
This afternoon, the Ministry of Justice said a cyber attack had blocked access to 14,500 coronial files and around 4000 post-mortem examination reports, the Ministry of Justice has confirmed this afternoon.
Some 30,000 customers of health insurer Accuro have had personal data potentially exposed via the attack on Mercury IT.
The Nurses Association has some 55,000 members.
The Privacy Commissioner reminded businesses and organisations that a 2020 update to the Privacy Act means any data breach must be reported to his office.
And he warned people not to share any information spilled online. Instead, it should be reported to police.
“For individuals - be on the lookout for anything out of the ordinary. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source,” the Commissioner said. The agency has posted protection tips online here.
At least three business organisations have had systems knocked offline after the IT provider they share was hit by a cyber attack, while another three have reported cyber incidents.
BusinessNZ’s website was offline Monday afternoon with an “under maintenance” message, while the Wellington Chamber of Commerce and its stablemate Business Central also had systems affected.
The Herald understands early indications are that only public-facing channels were involved, not servers containing any financial data. But a breach of sensitive files could not be completely ruled out at this point.
Business NZ spokesman Cal Roberts, speaking on behalf of both his own organisation and Wellington Chamber and Business Central, told the Herald:
“BusinessNZ and Business Central’s external IT infrastructure provider has been the victim of a cyber attack which has affected some of our websites.
“Both BusinessNZ and Business Central take their obligations to protect members’ information seriously. Our current focus is working with our IT provider to investigate and understand the situation further.”
The Herald understands the IT provider is Wellington-based Mercury IT (which has no connections to the Australian IT provider of the same name), and that a number of the firm’s other clients have also been affected. (UPDATE: Mercury IT said in a statement that it was hit by a cyberattack. It was working with outside specialists and authorities but could offer no more details. Through a spokesman, director Corry Tierney declined to answer questions).
The New Zealand Nurses Organisation (NZNO), which represents more than 55,000 nurses and health workers, said in a website statement that it had also been affected by a cyber-attack on its IT provider, who was not named.
“Due to a major international cyber-attack on its host, Kaitiaki’s website is down. Police and cyber-security experts are working with NZNO tech consultants to restore it (and other affected websites) as soon as possible. However, we have been advised this could take some days.,” the NZNO said in a statement.
This morning, NZNO spokesman Rob Zorn had good and bad news. The bad: Website data could not be retrieved. The good: “We are certain that no personal data has been compromised by this attack.” Zorn declined to name the NZNO’s IT provider.
The Physiotherapy Board of New Zealand was in the same situation. It also did not name its IT provider, which it said had been hit by “a largescale ransomware attack.”
The board said in a statement on its website that it was not aware of the attack resulting in the publication of any personal details but added: “Such a privacy breach may be possible”.
The nature and extent of the attack was not yet clear.
Late on Friday, health insurer Accuro said its customer data could have been exposed in a cyber attack.
The Wellington-based firm has around 30,000 customers, chief financial officer Joe Benbow told the Herald.
“Accuro’s external IT infrastructure provider has been the victim of a cyber attack that has prevented access to a number of our core systems,” the firm says in a statement.
Benbow wouldn’t name the provider on Friday, or today.
“At this stage, we have no evidence that any Accuro data has been compromised, but we cannot rule out this possibility,” the CFO said on Friday.
He would not confirm or deny if a ransomware threat was involved.
This afternoon, there was no substantial update. Accuro is still trying to gauge the scope of the attack, and whether sensitive data was exposed.
“Our IT provider is working with their own forensic experts and Government agencies to understand the nature and extent of the impact. We have also notified the relevant regulatory authorities, including the Office of the Privacy Commissioner,” the firm said in a statement.
The company warns its phone service is currently limited and is asking customers to email firstname.lastname@example.org instead.
Brett Callow, a threat assessment analyst with NZ-based Emsisoft, told the Herald there were no immediate signs of Accuro customer data for sale on the dark web, as of Monday afternoon. Nor was there any sign of any BusinessNZ or Wellington Chamber data.
Accuro is the latest provider to be hit after a string of cyber-attacks that included a hack on central North Island provider Pinnacle Midlands Health Network in October and the earlier ransomware attack on the Waikato DHB. Pinnacle updated on Friday afternoon that it is still in the process of trying to identify affected patients.
Across the Tasman, sensitive patient records have started to appear on the dark web after health insurer Medibank refused to pay a US$9.7m cyber ransom.
Pinnacle has refused to confirm or deny if it’s the subject of a cyber ransom demand.