Imagine your most personal medical information being held hostage. That's the stark reality facing over 126,000 New Zealanders after a massive hack of the ManageMyHealth portal. This incident is being called one of the country's worst cybersecurity breaches, but how does it truly stack up against other digital disasters? Let's dive in and explore the growing threat of cybercrime in Aotearoa.
Hackers are threatening to release a staggering 400,000+ stolen documents unless a $60,000 ransom is paid. This isn’t just about money; it's about the potential for identity theft, extortion, and deep personal violation for thousands of people. The government has already launched a review to investigate the security failures that allowed this breach to happen and determine what improvements are needed to protect patient data in the future. ManageMyHealth is scrambling to contain the damage, seeking legal injunctions to prevent the public release of sensitive information and working with various agencies like Health NZ and the Privacy Commissioner to minimize the ongoing risks.
But here's where it gets controversial... Should companies pay ransoms to hackers? The official advice is a firm no, but the pressure to protect affected individuals is immense.
The National Cyber Security Centre (NCSC)'s latest Cyber Threat Report paints a worrying picture: cybercrime is becoming increasingly commercialized. Known vulnerabilities in New Zealand's systems are like open doors for malicious actors. In the 2024/25 year, over 40% of incidents handled by the NCSC were linked to criminal or financial motives, a dramatic increase from the 25% linked to state-sponsored actors. Financial losses from these attacks have also skyrocketed, jumping from $26.9 million to $21.6 million. The NCSC strongly advises against paying ransoms, warning that victims often don't get their data back and may even face further extortion attempts.
And this is the part most people miss... The rise of AI is making cyberattacks easier and more sophisticated. Attackers no longer need advanced technical skills to launch convincing and scalable attacks. AI can automate the process of finding vulnerabilities and crafting phishing emails, potentially overwhelming traditional security teams. However, AI also offers opportunities for defense, enabling rapid detection and response to automated attacks. It's a digital arms race where speed and agility are crucial.
Let's look at some other significant cybersecurity incidents that have impacted New Zealand:
Waikato DHB (2021): A Stark Warning
This attack brought several hospitals to their knees. In May 2021, hackers crippled services at five Waikato hospitals by taking down 611 servers. Six weeks later, they leaked private data from over 4,000 patients and employees on the dark web. The attackers used ransomware, demanding payment to restore access to the systems. Staff were forced to use manual workarounds for months, and the DHB struggled to deal with a growing patient backlog.
The DHB had been warned months earlier about its outdated security measures, including clinical devices still running unsupported versions of Windows. A subsequent report, while redacted in key areas, highlighted the critical need for robust cybersecurity practices in healthcare. This attack served as a wake-up call for the entire sector.
Tonga Health System (2025): International Impact
In June last year, Tonga's health system was completely shut down for nearly a month by hackers demanding a $1 million ransom. The Tongan government refused to pay, and Australia stepped in to help restore the system. Patients were asked to bring handwritten notes to appointments, highlighting the devastating consequences of a cyberattack on essential services.
A Success Story: The Importance of Backups and MFA
The NCSC report also included a case study illustrating how strong security practices and quick responses can effectively combat ransomware attacks. In one instance, a healthcare organization suffered a ransomware attack that encrypted many of its servers and stole a significant amount of data. However, the organization's IT provider quickly took remediation steps, including changing credentials, updating accounts, and deploying extra security measures.
The key to their success? Frequent system backups. Because they had completed a backup just one hour before the attack, they were able to restore their systems and return to normal operations quickly. The NCSC also noted that the lack of multi-factor authentication (MFA) had allowed the hacker to gain access in the first place. MFA, requiring multiple verification methods, adds an extra layer of security that can prevent unauthorized access.
Global Impacts: WannaCry (2017)
The WannaCry attack in May 2017 demonstrated the global reach of cybercrime. It locked down over 300,000 computers in more than 150 countries, demanding US$300 per affected machine. The UK's health service was particularly hard hit, with nearly 20,000 hospital appointments cancelled. In New Zealand, Lyttelton Port was shut down as a precaution. The United States later blamed North Korea for the attack.
Beyond Healthcare: Other Notable Breaches
- Qantas (2025): A breach affected 5.7 million Qantas customers, including some New Zealanders, with personal data stolen from about 40 companies worldwide.
- Nissan (2024): About 100,000 customers from Nissan's Australian and New Zealand arms were affected by a hack, with stolen data published on the dark web.
- Latitude Financial (2023): This attack affected over 14 million documents, including New Zealand driver's licenses, bank account numbers, and passport details.
- Mercury IT (2022): Health NZ and the Ministry of Justice lost access to health and coronial files due to an attack on external provider Mercury IT.
- Squirrel (2024): Mortgage broker Squirrel was targeted in an attack exposing passport or driver's license details of about 600 peer-to-peer investors.
- AA Traveller (2022): Names, addresses, contact details, and expired credit card numbers from hundreds of thousands of customers were stolen.
Government and Infrastructure Under Attack
- China Accused of Hacking NZ Parliament (2021): Senior Minister Judith Collins revealed that the Parliamentary Service and Parliamentary Counsel Office had been targeted by a group called APT40, allegedly linked to the Chinese government.
- NZX Attack (2020): The New Zealand stock exchange came under repeated Distributed Denial of Service (DDoS) attacks, bringing trading to a halt.
Unintentional Disasters: The Crowdstrike Incident (2024)
Sometimes, the biggest threats aren't malicious attacks, but unintentional glitches. The Crowdstrike incident in mid-2024 saw errant code in a security update bring down services worldwide, including in New Zealand.
The Big Picture
The ManageMyHealth hack is a stark reminder of the growing threat of cybercrime. It's not just about money; it's about the privacy, security, and well-being of individuals and the stability of essential services. As technology evolves, so too must our defenses. Strong security practices, frequent backups, multi-factor authentication, and rapid response capabilities are essential to protect against these ever-evolving threats.
What do you think? Should companies be legally obligated to implement specific cybersecurity measures? Is the government doing enough to protect New Zealanders from cybercrime? And what responsibility do individuals have in safeguarding their own data? Share your thoughts in the comments below!
