False sense of security: Inside NZ’s under-reported cyber war
Friday, 2 January 2026
Ransomware is one of the most serious cyber threats facing New Zealand organisations, yet only a fraction of serious incidents are made public so the danger is obscured.
The National Cyber Security Centre (NCSC) has repeatedly warned organisations, and helped large commercial and health‑sector organisations whose systems were encrypted and data stolen.
Often it’s done without naming the victims, underscoring how much of the problem remains out of public view.
So while the Manage My Health and Neighbourly attacks hit the headlines this week, most never do.
NSP chief information security officer Geordie Stewart in November estimated only about 10% of significant cyber attacks in New Zealand are made public.
New Zealand businesses may be facing a much higher risk from cyber attacks than they realise, with many incidents occurring out of public view, he said.
For every cyber incident that makes the news, Stewart estimated “at least 10 more occur quietly”.
Some companies handle the problem themselves, or call on external health, some quietly pay the ransom to make it go away.
It all creates a false sense of security, another technology expert told The Post.
“We take a fairly relaxed approach to these things, and we should toughen up a bit.”
When businesses quietly pay the ransom to protect their reputations, it undermines the level of concern felt by government and the public.
Under‑reporting “creates a false sense of security” and masks the true scale of the problem from government and the public.
Cyber attacks, a timeline
August 2020: New Zealand Stock Exchange - Extortion-driven DDoS (Distributed Denial of Service) attacks crippled the NZX website for several days, blocking market-sensitive announcements and forcing repeated trading halts. DDoS attacks knock a website or online service offline by overwhelming it with too much internet traffic.
January 2021: Reserve Bank – Hackers exploited a third-party file-sharing service (Accellion) to steal highly sensitive data in an extortion-linked breach.
May 2021: Waikato District Health Board – A Conti ransomware attack paralysed hospital systems for weeks, postponing surgeries and forcing manual handling of patient records – said to be NZ's most disruptive ransomware incident so far.
July 2021: Kaseya supply chain – Global hackers exploited Kaseya VSA software in a ransomware campaign that hit NZ schools and small businesses via their managed IT providers. Kaseya is remote monitoring and management software used to manage and patch many computers and servers from a central location.
September 2022: Pinnacle Midlands Health Network – Ransomware struck this major GP network, with malicious attackers claiming theft of data linked to up to 450,000 patients.
November 2022: Mercury IT – Mercury, a NZ-based IT services and support company that offers a range of technology solutions, was hacked, compromising services for the Ministry of Justice, Te Whatu Ora, health insurance provider Accuro Health and other organisations.
March 2023: Latitude Financial – A massive breach exposed drivers' licences and personal details of more than 1 million Kiwis – one of the country's largest privacy incidents. Passport data was also stolen.
September 2023: Auckland University of Technology – Monti ransomware group stole 60GB of data and threatened to leak it unless AUT paid a ransom. Monti emerged around 2022, and attacks diverse targets by encrypting data and extorting victims for ransom
October 2023: Auckland Transport – Cyber attack disrupted the AT HOP card system and website amid a broader ransomware-related IT incident.
March 2024: MediaWorks – Hackers claimed to steal data on 2.5 million Kiwis from MediaWorks' site, including competition entries and votes for shows like The Block NZ. A hacker marketplace known as BreachForums, where the stolen data was offered, was seized by the FBI, with help from police.
March 2024: NCSC reported a significant ransomware attack on a large NZ manufacturing firm (the name was undisclosed).
May 2024: Auxo automotive software – Ransomware targeted this software used by 50% of vehicle workshops; Auxo sought a High Court injunction to block publication of stolen client data and alerted the authorities and police.
May 2025: NCSC health “C3” incident – NCSC's 2025 report detailed a “Significant (C3)” ransomware case at a health organisation, encrypting servers/endpoints and stealing large data volumes.
July 2025: Qantas – This breach exposed the personal data of 6 million customers, including many NZ travellers, via a third-party contact centre.