Online security

Cyber ​​minister needed as attacks surge, security expert says

New Zealand needs a dedicated cybersecurity minister, says industry expert, on back of healthcare provider hack.

A cyberattack siphoned data and patient information from the Pinnacle Health Network on September 28 and uploaded it to the dark web.

Attacks are on the rise around the world, said CyberCX Executive Director of Security Testing and Assurance Adam Boileau, and governments need dedicated resources to protect cyber and civilian infrastructure.

“We need a dedicated cybersecurity minister to protect and regulate an industry that is at the heart of everything we do.”

* 350 cyberattacks on New Zealand last year, a third of them by state-sponsored exploitation groups
* Major Data Breach in Spotless Cleaning and Restoration Company
* Hackers publish customer data removed from Auckland financial services company on the dark web


Patient information held by PHO Pinnacle was allegedly compromised in a cyberattack (video first posted on Tuesday).

New Zealand’s privacy laws were enacted when cyberspace and security were different issues, and needed to keep pace because security, privacy and information were fundamental to society, he said.

“Entrusting security and data protection to the private sector is no longer enough,” he said.

“Australia appointed its first-ever cybersecurity minister a few months ago, and we’ve already seen the value of a dedicated role.”

He said that following a “massive” data breach at Australia’s biggest telecoms company Optus, new cybersecurity minister Clare O’Neill acted quickly and publicly to hold the government to account. business and strengthen legislation.

“It’s an example we should learn from – while New Zealand is geographically isolated, it makes no difference in cyberspace.”

Pinnacle chief executive Justin Butcher (right) said patient information was compromised in the cyberattack.


Pinnacle chief executive Justin Butcher (right) said patient information was compromised in the cyberattack.

Privacy Commissioner Michael Webster would not comment on whether there should be a single minister for cybersecurity – instead of having multiple ministers whose portfolio responsibilities included a cybersecurity component.

But he said Pinnacle’s breach was a timely reminder that everyone respects the personal information of others by not accessing any stolen information posted online.

“Any information from this breach could be sensitive, which could cause a great deal of anxiety for those affected.”

Individuals affected by the breach should be alert to emails, phone calls, and text messages claiming to be from Pinnacle, financial institutions, telecommunications carriers, government, or other agencies asking you to click link, provide personal or identifying information, or request that you provide remote access to your device.

He encouraged those affected to enable two-factor authentication on their accounts to add an extra layer of security.

“Unfortunately, scammers and cybercriminals take advantage of privacy breach events to attempt to trick community members into providing personal, account or credential information, infecting devices or motivate individuals to perform actions as part of a scam.

“If you receive or find this information, do the right thing – notify Pinnacle and the police. Do not access or share the information and keep it in quarantine until told to delete it .

He said protecting privacy and cybersecurity required vigilance and regular review to ensure processes remained fit for purpose.

“Cybercriminals are constantly evolving their approaches.”

A Pinnacle spokesperson said the 0800 number set up for those affected had received 187 calls.


A Pinnacle spokesperson said the 0800 number set up for those affected had received 187 calls.

Webster said a key lesson from the Optus breach in Australia was “the critical importance” of only collecting and keeping the information you need.

“The more data an organization holds, the greater the potential harm. Organizations can mitigate this risk by ensuring that they only collect the personal information they need for business purposes, that they adequately ensure that it is protected from harm, and then destroy it in safely when they are no longer needed.

He said all organizations should have a privacy or data breach response location, which has been tested the same way you would have a fire or disaster response plan. earthquake.

“It has to be part of the muscle memory of an organization. This includes how you would communicate with potentially affected people as you undertake triage to identify those who are actually affected.

“Cybercriminals and scammers will not wait for you to complete your processes and your customers/clients have the right to take action to protect themselves.

“Cyberattacks are increasing, and so are the costs to prevent and respond to them.”

A Pinnacle spokesman said the 0800 number set up for those affected had received 187 calls – as of midday on Tuesday – and no particular themes had emerged.

The information and data collected related to past and present patients and clients of Pinnacle Group in Waikato, Lakes, Taranaki and Tairāwhiti districts.

It also included the practices of Primary Health Care Ltd of Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.

This attack follows the Waikato District Health Board hack in May last year, when sensitive patient data was stolen.

Netsafe would not comment on whether New Zealand needs a cybersecurity minister or on cybersecurity and legislation in New Zealand.