Multiple government departments in New Zealand affected by ransomware attack on IT provider

A ransomware attack on Mercury IT, a widely used managed service provider (MSP) in New Zealand, is feared to have disrupted dozens of organizations in the country, including several government departments and public authorities.

The Ministry of Justice and Te Whatu Ora (Health New Zealand) are among the public authorities that have announced being impacted by a cyberattack on a third-party IT support provider. 

New Zealand’s privacy commissioner confirmed on Tuesday morning that “a cyber security incident involving a ransomware attack” was to blame, saying its upstream target was Mercury IT, which “provides a wide range of IT services to customers across New Zealand.”

Mercury IT is a small business with 25 staff according to its description on LinkedIn, which provides support, telecoms and infrastructure services to other organizations.

The data protection regulator said it was notified of the “evolving situation” on November 30, and added: “Urgent work is underway to understand the number of organizations affected, the nature of the information involved and the extent to which any information has been copied out of the system.”

The regulator said it would be opening a compliance investigation into the incident so it “can make full use of its information gathering powers” and encouraged “any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner.”

In a statement, the Ministry of Justice said that the attack was preventing it from accessing 14,500 files relating to the transportation of deceased people’s bodies, and roughly 4,000 post-mortem examinations dating from March 2020 to November.

Its chief operating officer Carl Crafar said: “We are conscious that so-called malicious actors behind such activity can monitor public commentary on incidents of this nature so will not be providing more detailed information on our responses at this time.”

In its statement, Te Whatu Ora, the country’s health ministry, said its access to data relating to bereavement and cardiac services was impacted. It said roughly 8,500 records about bereavement care services were inaccessible, alongside 5,500 records from the cardiac and inherited disease registry.

“While the above records are currently inaccessible, there is no evidence at this stage that they have been subject to unauthorized access or download,” said the ministry.

“We would like to reassure the public that there has been no disruption to health service delivery and that all Te Whatu Ora health services are continuing to run normally.”

The ministry added that six other health regulatory authorities who used Mercury IT had also been affected, including the Optometrists and Dispensing Opticians Board of New Zealand; the Chiropractic Board; the Podiatrists Board; the New Zealand Psychologists Board; the Dietitians Board; and the Physiotherapy Board of New Zealand.

It is not clear what impact the incident has had on these services.

BusinessNZ, an advocacy group, has also announced being impacted. Accuro, a not-for-profit health insurance provider in New Zealand with more than 34,000 members, stated that its “day to day operations and customer service have been impacted” by an attack on its IT provider.

It follows a significant ransomware incident affecting Australia’s private health insurer Medibank, which last month stated it would not be making an extortion payment after hackers gained access to the data of 9.7 million current and former customers, including 1.8 million international customers living abroad, and began releasing the details online.

The incident caused outcry in the country and prompted the Australian government to announce a new permanent joint standing operation between the Australian Federal Police (AFP) and the Australian Signals Directorate that would be “offensively attacking” groups behind ransomware incidents.

It comes a week after the United Kingdom announced it would be introducing a new mandatory reporting obligation on MSPs to disclose cyber incidents, alongside minimum security requirements which could see them fined up to £17 million ($20 million) for non-compliance.

Explaining the move, the government said that MSPs “play a central role in supporting the UK economy” and warned they are “an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.