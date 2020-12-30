Personal information belonging to clients of an Auckland financial services firm has been published on the dark web after the company fell victim to a ransomware attack.

Earlier this month a blog post on the dark web showed cyberattackers appeared to be in possession of sensitive information held by financial services company Staircase Financial Management.

The post on NetWalker Blog had a countdown clock indicating how much time was left before the data was made public. That clock has now run out and the data has been made public across multiple third party file sharing sites.

NetWalker is a type of ransomware software discovered in late 2019 and created by hackers. Ransomware threatens to publish the victim's data or block access to it unless a ransom is paid.

In a written statement Staircase director Kylie Turgis said its clients had been advised of the cyber-attack.

“We are assisting the NZ Police cybercrime team to investigate the matter,” Turgis said.

It had also consulted with Government agency Cert NZ and the office of the Privacy Commissioner, and was following their recommendations, she said.

“We will not be making any further public statements in relation to this.”

A police spokesman said its Auckland City Fraud team was not immediately aware of receiving any complaints in relation to the matter.

New Zealand authorities generally advise companies against paying ransoms to cyber criminals because it encourages future attacks.

Staircase’s website says it has been providing retirement and financial strategies to thousands of New Zealanders since 2001, through the creation of long-term property investment portfolios.

The Financial Markets Authority earlier said Staircase was not licensed by it and so was not required to notify it of a security breach.

The Privacy Commissioner’s office has been approached for comment.

CERT NZ recommended the following steps if a person was concerned that some of their personal information had been released through a data breach: