Tens of thousands of NZ nursing union email addresses hacked in phishing scam
The nurses' union has been hacked in a phishing scam and tens of thousands of member contact details sent to scammers.
On Monday, someone pretending to be the New Zealand Nurses Organisation chief executive, Memo Musa, using a fake Yahoo email, contacted the union and asked for member email contacts.
The information was unfortunately released, the union says.
A statement said not all of the 47,000 members' emails were registered with the union, but the number of addresses sent to scammers was in the tens of thousands.
Acting chief executive Jane MacGeorge said the union was communicating with members to provide advice and the organisation acknowledged the privacy breach was very unfortunate and upsetting for members.
"We have firstly apologised to our members and have started an investigation into how this happened and are working to prevent this from happening again," she said.
MacGeorge said members should consider whether to open any email from a Yahoo address and question whether an NZNO address was correct.
The union was working with the Office of the Privacy Commission, met police from the cybercrime department, and staff from the Ministry of Health and Department of Internal Affairs.
The Department of Internal Affairs has asked Yahoo to shut the fake email.
"We have communicated with the chief executives of district health boards and worked with the general practitioner organisation to get communication out to the health sector about this release of email addresses and are advising them to be on alert."
A union spokeswoman said it was not yet clear how the information was passed to a third party, but someone faked an email from the chief executive.
An internal investigation into how the breach happened was the first step, she said.
"It's not clear. Where the information was sent was a fake email address that looked like the CEO's address.
"Although it's serious it's not at the high level of personal information [such as health information]. This could have happened to anyone in a way. We'll investigate what happened and there will be a review."
The union chief executive is attending a conference overseas.
Members have been sent information about the scam and the union has apologised, a statement said.
"This data breach occurred as a result of a response to a phishing email. Phishing emails are emails that deceive recipients into believing that they are responding to a legitimate request, in this case from the chief executive.
"We are now investigating how this happened."
The union has also published advice to members about how to be secure on email.