New Zealand Privacy Commissioner Michael Webster is looking to launch an investigation into Mercury IT, a Wellington-based IT provider that was hit by a ransomware attack last week.
“The Office of the Privacy Commissioner is planning on opening a compliance investigation into this incident so that it can make full use of its information-gathering powers,” the commission said. “We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”
The attack on Mercury IT has compromised a large amount of sensitive data that it hosts for multiple clients. These clients include BusinessNZ, the NZ National Nurses Association and the Ministry of Justice, with 15,000 Coroners Court files taken out, the NZ Herald reported.
Health insurer Accuro was also affected by the cyberattack, which compromised its access to several core systems.
The Government Communications Security Bureau’s National Cyber Security Centre (NCSC) said that several providers contracted to Te Whatu Ora Health NZ have also been affected by the attack. However, the delivery of health services has not been impacted, the NCSC said.
The response to the ransomware attack is being led by the NCSC, with support from CERT NZ and New Zealand Police.
“On Nov. 30, we became aware that we were the victim of a cyber incident after a malicious and unauthorised actor gained access to our server environment,” Mercury IT director Corry Tierney said in a statement. “This was immediately escalated to senior management. The incident was raised with relevant government authorities, and we have engaged external specialist support. Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment. We are committed to supporting our impacted clients with their own investigations wherever possible and we apologise, sincerely, for the impact this attack has caused.”
Several high-profile cyberattacks have occurred in recent months, with health-related firms such as Australia’s Medibank and New Zealand’s Pinnacle Health being targeted. Hackers often look to gain access into systems of data-rich entities, such as health companies, insurers, and government agencies. The stolen sensitive data is then sold online for various unethical purposes.