A few years ago there was an ad campaign for New Zealand making fun of the fact that we are often left off maps. When looking at cyber security news it often feels like we are missed off the map too. There were plenty of international round-ups of cyber security events for 2021, but few mentioned what happened here in Aotearoa New Zealand. To redress the balance, here’s our list of New Zealand’s publicly reported cyber security events from 2021:
January
The Reserve Bank of New Zealand reported that it suffered a significant breach caused by a hack of its Accelion file sharing service. (In May the RBNZ issued an independent report into the breach.)
March
Air New Zealand had the personal information of some customers stolen when Star Alliance service provider SITA was hacked.
Lumino dentists had a staff member’s email hacked and the personal information of some customers accessed.
May
Hospital services at the Waikato District Health Board were brought to a halt for several weeks due to a ransomware attack. Some services were still not fully functional in December, and large amounts of confidential data was published on the dark web.
Microsoft announced that it will build an Azure data centre in New Zealand.
Volunteer Service Abroad (VSA) – a New Zealand charity – was hit by a ransomware attack.
June
A Fastly glitch took down large parts of the internet, including key NZ websites such as Radio NZ.
July
A vulnerability in the Kaseya IT management product was exploited world-wide by a ransomware gang. Several NZ organisations were impacted due to it being used by their service providers
The New Zealand Government condemned hacking by China’s Ministry of State Services. The surprising thing is that New Zealand publicly joined in the international condemnation, given how quiet the government usually is on such matters.
Symes De Silva – a Wellington dental practice – had their email hacked and clients’ personal information stolen.
August
The Department of Conservation’s Aoraki search and rescue base suffered a ransomware attack.
September
Amazon announced that they too will be opening a data centre in NZ.
Vocus (a wholesale telecommunications provider) suffered a DDoS attack which took down a number of NZ websites and online businesses. This was quickly followed by DDoS attacks on a number of NZ banks and other organisations.
NZ was hit with a wave of SMS scam messages which tried to trick Android phone users into downloading malware called “Flubot” which can steal personal data.
October
Some ACC contact centre staff shared clients’ confidential details and mocked them in a Snapchat conversation.
November
Frontier Software – a major provider of payroll software and services in NZ – was the victim of a ransomware attack. In December it was announced that the attackers had exfiltrated and published pay data of 80,000 South Australian government employees. Luckily nothing that bad happened to NZ customers.
December
The National Cyber Security Centre announced a new initiative for protecting New Zealand organisations from attacks: Malware Free Networks.
The Teaching Council acknowledged a privacy breach when details of confidential investigations were inadvertently posted online.
Critical Vulnerabilities
While these stories weren’t specific to NZ, just like cyber security professionals everywhere else in the world, several critical vulnerabilities scared the bejeezus out of us here in Aotearoa. Here are the ones that got our pulses racing in the Axenic office:
- In March we learned about a critical vulnerability in on-premise Microsoft Exchange servers which had been actively exploited for quite some time.
- A vulnerability in Microsoft network printing (later named Print Nightmare) was accidentally disclosed by researchers. It took Microsoft until September to fix all of the related issues.
- A vulnerability in an IT service management tool from Kaseya was exploited in July. Unfortunately as it was popular with service providers if it was in your environment you might not have even known.
- And lastly, in December just as we were preparing for our holidays a massive vulnerability was found in a logging library used by millions of java applications. Log4Shell (as it came to be known) caused a major headache as we scrambled to find what in our environments might be using it – and which of our suppliers were impacted too.
That’s our list of New Zealand cyber security events that were publicly reported in 2021. We’re sure that there are other events that we missed. Let us know of any events worthy of making the list. And of course, if you’d like help understanding what is going on in cyber security nationally or internationally or would simply appreciate a New Zealand perspective drop us a line.