Cyber attack on Northland firm shows need for businesses to be prepared

A cyber attack on Whangārei-based electrical contracting company McKay shows the importance of businesses having a cyber security response plan.

The firm – New Zealand’s largest privately owned electrical contracting company – was listed as a victim on the darknet site of a new ransomware group called Mnt6.

The hacking group, which emerged in April, also claimed two Canadian-based companies as victims.

McKay said it became aware of an incident, involving just one internal device, in January this year.

The company immediately initiated its cyber security response plan, while the unauthorised access was isolated and contained.

“Our IT systems have continued to operate securely throughout this period. This has been independently reviewed and verified by a third‑party cyber security specialist," McKay said in a statement.

“All customers and relevant individuals involved were notified and received updates as our investigation continued.”

McKay obtained an injunction from the High Court in Auckland to restrict any unauthorised access, or sharing of information, linked to the cyber attack.

It also reported the incident to the appropriate authorities, including the Office of the Privacy Commissioner and the National Cyber Security Centre.

“We have worked closely with leading third‑party cyber security specialists to further strengthen McKay’s systems and are actively monitoring the environment for any further suspicious activity,” it said.

While McKay was the only New Zealand company listed as a victim of Mnt6, it was not alone in being impacted by a cyber attack.

McKay director Lindsay Faithfull shows off McKay's sponsorship of the stadium at Kensington, Northland's largest indoor stadium.

High-profile incidents this year included at Manage My Health – threatening the details of up to 120,000 patients – and health platform MediMap.

Last week, there was an attack on learning management tool Canvas, used by The University of Auckland, Victoria University of Wellington and Auckland University of Technology.

McKay said the incident emphasised the importance of being prepared for when, not if, a company was impacted by a cyber threat.

It was fortunately able to quickly initiate its cyber security response plan.

The push to be prepared was echoed by Datacom, which found most New Zealand businesses don’t have a plan for getting back on their feet after a cyber incident.

The company surveyed more than 200 New Zealand security leaders in late 2025 and found there was a gap between confidence and readiness.

The hack on electrical contracting company McKay is a reminder for businesses to be prepared for cyber attacks. Photo / 123rf

While 78% of New Zealand leaders were confident they had sufficient resources to deal with a cyber attack, just 30% had a business continuity response plan in case of one.

Datacom AI director Adam Kirkpatrick said many businesses thought cyber attacks were simply a technology issue that needed tools and monitoring.

But he said it was important for business owners to have a decision-making process and recovery plan, if a cyber attack were to impact the most important part of their business.

“Investing in the tech is just not enough. It’s about the people, the process, the decision-making and a recovery plan.”

McKay was established in Dargaville in 1936 and now has locations across New Zealand and in the US.

It sponsors Northland’s largest indoor sports stadium in Kensington and recently earned praise from the Prime Minister for its work delivering an all-electric ferry fleet for Samoa.

Denise Piper is a news reporter for the Northern Advocate, focusing on health and business. She has more than 20 years in journalism and is passionate about covering stories that make a difference.