NZ Privacy Commissioner Investigates Mercury IT Ransomware Attack

Written by

The Office of the Privacy Commissioner in New Zealand released a public statement on Tuesday on the ransomware attack affecting technology services provider Mercury IT.

“This is an evolving situation. We were notified of the cybersecurity attack on 30 November 2022,” reads the statement. “Urgent work is underway to understand the number of organizations affected, the nature of the information involved and the extent to which any information has been copied out of the system.”

The Office of the Privacy Commissioner also confirmed it is planning on opening a compliance investigation into this incident to leverage the full extent of its information-gathering powers. 

“We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”

At the same time, the privacy watchdog warned individuals and companies receiving or finding information related to this, or any other cyber-attack, not to spread or share it.

“Report it to the New Zealand Police. No one should contribute to its widespread dissemination. Spreading this information or profiteering from it causes anxiety and distress to victims.”

The Office of the Privacy Commissioner also provided a link that users can follow to protect themselves from data breaches.

“This ransomware attack serves as a reminder to all businesses that they can be targets of ransomware, irrespective of their size,” commented Raj Samani, SVP and chief scientist at Rapid7.

“Indeed, many small organizations form a critical part of the supply chain for larger organizations, and this provides criminals the opportunity to demand and extort large sums from victims.”

The executive added that understanding this economy allows ransomware operators to cause as much chaos and disruption as possible in the hope that this will motivate victims to pay. 

“Therefore, all businesses – no matter their size – need to ensure that they operationalize cybersecurity,” Samani told Infosecurity. “It must be seen as an essential part of the organization’s processes and form part of the cost of operational running.”

The Mercury IT attack comes weeks after neighboring Australia announced plans to potentially ban ransomware payments in response to the Medibank data breach.

What’s hot on Infosecurity Magazine?