Michael Webster (Privacy Commissioner) Credit: Supplied

An "evolving" hack at IT service provider Mercury IT has the Privacy Commissioner and the National Cyber Security Centre pondering a response.

The National Cyber Security Centre (NCSC) is on the case because Mercury IT provided services to several government agencies, including Te Whatu Ora, Health NZ.



In a statement this afternoon, Privacy Commissioner Michael Webster said the situation was "evolving".

"We were notified of the cyber security attack on 30 November 2022," he said. "Urgent work is underway to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system."

Webster, who was appointed in June, said he was planning to open a compliance investigation into the incident so his office could make full use of its information gathering powers.

"We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner."



Located in Auckland, Wellington, Hamilton and Melbourne, Mercury IT manages IT services for more than 3000 users and around 200 organisations, according to its website.

"While work is underway to understand and respond to this particular incident we have some key messages for individuals, organisations and members of the public in general," the Privacy Commissioner said.

"It is important that people who receive or find information related to this, or any other cyberattack, do the right thing. Do not spread it. Do not share it. Report it to the New Zealand Police.

"No one should contribute to its widespread dissemination. Spreading this information or profiteering from it causes anxiety and distress to victims."

Individuals should be on the lookout for anything out of the ordinary.

"Watch out for suspicious texts, emails or unusual things happening with your accounts or records," Webster advised. "Be particularly cautious of contact from an unknown source."

The NCSC said Mercury IT had engaged external cyber security response support and reported the incident to agencies including the NCSC, New Zealand Police, CERT NZ and the Privacy Commissioner.

The NCSC, within the Government Communications Security Bureau (GCSB), was leading coordination of the government’s response.

Agencies whose data has been impacted included providers contracted to Te Whatu Ora, Health NZ, but the incident had not affected the delivery of health services.

The Ministry of Justice also confirmed the incident impacted access to some coronial data.

Deputy Director-General of the NCSC Lisa Fong said the incident response was at an early stage.

“It may take some time to get clarity around data impacted and to determine potential harm and scope of any breach," Fong said.

“We are very conscious that the malicious actors behind this event could use public communications as a means to further leverage the incident and cause harm to others. For this reason we will not be providing further information at this time.”