Malicious activity now the main cause of serious privacy breaches in NZ

There has been a 41% increase in the number of serious privacy breaches reported by organisations in New Zealand over the past year, according to the Office of the Privacy Commissioner (OPC). In the first half of the 2021/22 financial year there were 147 serious breaches, rising to 207 in the first half of the 2022/23 financial year.

The percentage of serious privacy breaches caused by intentional/malicious activity has almost doubled in the past year

What is a malicious privacy breach?

The most common type of malicious activity is referred to by the OPC as ‘unauthorised access’, including phishing attacks, email system hijacking for spam or fraud, and the installation of malware including ransomware.

The OPC said the malicious – rather than accidental – intent of the attackers means these attacks must be treated as having the potential to cause serious harm and should be reported immediately.

The number of malicious attacks is growing

One malicious attack can impact the privacy of thousands of people, and as the number of these breaches grows – from five in January 2022 to 24 in December 2022 – the likelihood of consumers being harmed by one of these breaches will grow significantly.

In December 2022, a ransomware attack on Wellington firm Mercury IT saw the data of businesses including health insurer Accuro listed for sale on the dark web, while work by the IT firm for Te Whatu Ora and Health NZ led to 14,500 coronial files and 4000 post-mortem reports being compromised.

In Australia, health insurer Medibank saw its systems breached in October 2022. A vast quantity of consumer data was compromised, with hackers threatening to release the information unless a $15 million ransom was paid. In November, to demonstrate the validity of the data, information on individuals who had received abortions, or treatment for mental health issues or alcoholism, was released onto the dark web. In December, the full trove of customer data was published by the hackers.

Privacy breaches can also be caused by human error, such as sending an email to the wrong person, or the unauthorised sharing of information, including accidentally providing one individual with another’s address, or telephone number. These instances have the potential to cause harm to individuals, but not to the same extent.

Businesses’ responsibilities when breaches occur

Breaches are inevitable due to human error and the rise of malicious attackers. However, Privacy Commissioner Michael Webster is keen to remind businesses of their responsibilities when they have been breached.

“Report the breach as early as possible. Notifiable privacy breaches should be reported within 72 hours of the breach being identified.”

The OPC is available to help triage a response to a breach and guide the organisation through the crisis.

Businesses that fail to report breaches to the OPC could receive fines of up to $10,000, but this is a small figure both in the context of many businesses’ balance sheets and by international standards.

In 2021, under the EU’s General Data Protection Regulation, Booking.com was fined €475,000 (almost $800,000) for being late to report a data breach. In the same year, Twitter was fined €450,000 (almost $755,000) for the same offence. In the UK, failure to report a data breach can result in a fine of £8.7 million (about $16.6m) or 2% of global turnover – whichever is highest.