Reseller News

Assessing the top NZ security breaches of 2018

Kiwi businesses now under the security spotlight

New Zealand businesses and individuals continued to fall victim to cyber attacks during the first half of 2018, as security breaches increase across the country.

Following years of end-user indifference - maintaining the belief that ignorance is bliss - the nation is now under threat and in the firing line, as organisations of all shapes and sizes face exposure.

Perhaps for the security specialists up and down the country, this revelation is nothing new, a mere stating of the obvious in a world now dominated by high-profile attacks.

Yet for some reason, the penny has failed to drop among Kiwis, with some mistakenly holding onto the belief that geography still remains the golden saviour from hackers.

Granted, not every breach has been due to a malicious gang of cyber criminals, with human error also playing a factor.

But irrespective of the cause, the end result is a New Zealand now under the security spotlight.

Since January, the Inland Revenue, Z Energy and Vector have fallen victim to media headlines and public scrutiny, not to mention a government minister impersonated via social media.

Added to the global incidents impacting Facebook, Ticketmaster and Ortbiz - not forgetting Meltdown and Spectre - and New Zealand already has a scrapbook of security breaches to browse through.

The year started off with revelations that thousands of Inland Revenue files were locked up after New Zealand's tax department became the target of a crypto-locking attack.

In February, IRD said that in addition to the phishing emails targeting customers, the department also regularly receives phishing emails attempting to obtain money or information or to compromise the Inland Revenue environment.

"In November 2017, a link in a phishing email was clicked on resulting in a cryptolocker malware executing within Inland Revenue which encrypted 3500 files," a statement to Parliament's Finance and Expenditure Committee said.

IRD told Reseller News at the time that the attack occurred in November 2016, not 2017 as it told the committee.

The files were recovered from back-up and no Inland Revenue data was lost or compromised, IRD said in response to questions during the department's annual review.

Less than two months after such revelations, a total of 63,724 people in New Zealand were revealed to be potentially impacted by the Cambridge Analytica data breach, according to figures released by the Office of the Privacy Commissioner.

As reported by Reseller News, the scandal involved the collection of personally identifiable information of up to 87 million Facebook users that Cambridge Analytica began collecting in 2014 - the data was used to influence voter opinion on behalf of politicians who hire them.

Following the breach, Facebook apologised, experienced public outcry and lowered stock prices, calling the way that Cambridge Analytica collected the data as "inappropriate."

At the time of the revelation, New Zealand's privacy commissioner joined international criticism of Facebook, saying the business broke the law by declining a citizen access to personal information held on the accounts of other users.

As the dust settled on the news, in a separate incident involving the social media giant, the government then took the step to urge New Zealanders to report suspicious activity on their Facebook accounts, after digital media minister Clare Curran was targeted by a fake account.

After being impersonated online, Curran said CERT NZ - a national emergency response team - advised the minister to change her password and upgrade protection.

Customer data

Moving away from all things social media however, the next major security incident came in the form of electricity network provider Vector, as revealed in April.

Read more on the next page...

Page Break

As reported by Reseller News, a vulnerability in the Outage app may have exposed the personal information of more than 35,000 customers in New Zealand.

Following the severe storm which battered the country in April, the company was “made aware” of an API vulnerability within its application.

As a result, the glitch allowed users with an understanding of web applications to identify the vulnerability and potentially exploit it to see information about other application users.

The provider first reported that as many as 24,000 users may have had name, phone number and address details accessed, before updating the number to 35,000.

A matter of weeks later, Vector then took legal action against news outlet Stuff in New Zealand, applying for a high court injunction following the breach.

The action centred around the recent breach of customer information from the Vector Outage App, and the subsequent publication of a news story by Stuff based on that data.

“Vector has asked Stuff several times to secure, to return or to destroy the confidential Vector customer data now in their possession that was provided to it by the hacker,” a spokesperson for Vector stated. “Stuff Limited has repeatedly refused this request.”

On the morning of 26 April, Vector said it was made aware by Stuff that an unspecified third party had unlawfully accessed the personal information of up to 24,000 Vector customers and provided the data to Stuff.

Stuff published a news story on this on the afternoon of April 26.

“We fully accept Stuff had a valid right to report on the original data breach,” the statement read at the time. “We have made it clear to Stuff that we were not seeking to prevent their reporting on the matter and we have not asked them at any time to disclose their information source.

“However, we do not believe Stuff should have compounded this matter by exploiting the customer data when reporting on it.”

Next up in the firing line was Z Energy, with the Zealand-based fuel supplier presented with evidence that customer data from its Z Card Online database was accessed by a third party in November 2017.

Revealed in June, the database held customer data such as names, addresses, registration numbers, vehicle types and credit limits with the company.

Kiwi threats

With local examples mounting, during the first quarter of 2018, a total of 506 incident were reported according to CERT NZ findings, representing the highest figures since the security body was established.

“With this increase comes more information about the impact on New Zealanders,” said Rob Pope, director of CERT NZ. “Financial losses continue to be high, with almost $3 million in direct financial loss reported.

According to Pope, 45 per cent of incidents reported showed “some form of loss”, while vulnerability cases increased dramatically with twice as many received compared to the fourth quarter of 2017.

Alongside new ransomware variants - chiefly Rapid and David - CERT NZ findings showed increases across in the board in terms of security attacks, spanning phishing and credential harvesting (55 per cent increase); unauthorised access (67 per cent increase), and reported vulnerabilities (133 per cent increase).

“We help Kiwis improve their cyber security using the data we collect and collate,” Pope added. “We make the most difference when we’re working as a fence at the top of the cliff, rather than focusing just on being the best ambulance at the bottom of it.

“We’re doing this by working on new ways to disrupt models of attack and building outreach activities that help people take simple actions to protect themselves online.”

The findings align with earlier reported figures, highlighting that more than one-third of the adult online population in New Zealand was affected by cyber crime in 2017, impacting as many as one million Kiwis.

Representing almost a quarter of the estimated 4.7 million population, according to 2017 census figures, the victims lost more than $177 million combined, spending over nine hours dealing with the aftermath.

According to findings Norton by Symantec findings, nearly half of all New Zealanders (49 per cent) have or know someone who has been impacted by an online security threat.

Of those who have ever been a victim of cyber crime, 56 per cent have been affected in the past year.