Privacy Commissioner Considers Action On Ransomware Attack
There has been a cyber security incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand.
This is an evolving situation. We were notified of the cyber security attack on 30 November 2022. Urgent work is underway to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system. The Office of the Privacy Commissioner is planning on opening a compliance investigation into this incident so that it can make full use of its information gathering powers. We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.
Unfortunately cyber security breaches are becoming a regular occurrence. While work is underway to understand and respond to this particular incident we have some key messages for individuals, organisations and members of the public in general.
It is important that people who receive or find information related to this, or any other cyberattack, do the right thing. Do not spread it. Do not share it. Report it to the New Zealand Police. No one should contribute to its widespread dissemination. Spreading this information or profiteering from it causes anxiety and distress to victims.
For individuals - be on the lookout for anything out of the ordinary. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source.
If people would like to know more about some steps they could take to protect themselves from privacy breaches they could follow this link: https://privacy.org.nz/resources-2/protecting-yourself-from-a-privacy-breach/
For organisations who hold the personal data of New Zealanders. You have a responsibility under the Privacy Act to take all reasonable steps to ensure that information you hold in trust is safe from cyber-security breaches. This includes where services are contracted from a third party. A failure to take these steps is a breach of the Privacy Act and can result in compliance and enforcement action. This can include the requirement to “put things right” – for the impacted individuals and in terms of information security systems and processes. There is no room for any organisation to be complacent. Trust is hard won and easily lost.