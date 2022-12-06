The cyber security incident did not target its systems directly, the Ministry of Justice says. (File photo)

A widening circle of government departments is emerging as victims of a third-party cyber attack.

On Thursday afternoon the Ministry of Justice admitted losing access to sensitive coronial information – including thousands of autopsy reports – due to a cyber attack on an external company, Mercury IT.

Later the National Cyber Security Centre said the government agencies whose data has been impacted included some providers contracted to Te Whatu Ora, Health NZ.

But Te Whatu Ora said data including relating to bereavement and cardiac services was affected. Health services were continuing to run normally, its statement said.

However, Middlemore Hospital in Auckland, had lost access to 8500 bereavement care services records dating back to 2015.

And a registry of 5500 records of cardiac and inherited disease data dating back to 2011 that clinicians used in Auckland, Wellington, Tauranga, Waikato, and Nelson was not accessible.

Te Whatu Ora’s statement said regulatory health authorities such as the Optometrists and Dispensing Opticians Board, the Chiropractic Board, the Podiatrists Board, the Psychologists Board, the Dietitians Board; and the Physiotherapy Board were also affected.

The National Cyber Security Centre, within the Government Communications Security Bureau, was currently leading coordination of the Government’s response.

The centre’s deputy director-general, Lisa Fong, said the incident response was at an early stage. The centre was working with the technology service provider to help understand the nature of the data that has been impacted and how it occurred.

“It may take some time to get clarity around data impacted and to determine potential harm and scope of any breach,” she said.

In a statement Corry Tierney, director of Mercury IT, confirmed the company’s involvement. The statement said on November 30 it learnt of malicious and unauthorised access to its servers. It told the relevant government authorities and it engaged specialist external support.

All possible steps were taken to keep the company secure, Tierney said.

“We are committed to supporting our impacted clients with their own investigations wherever possible and we apologise, sincerely, for the impact this attack as caused,” Tierney said.

At the Ministry of Justice it was believed it affected access to 4000 autopsy reports and 14,500 files relating to the transportation of dead bodies.

The autopsy reports related to files from Northland, Waikato, Bay of Plenty, Taranaki, Wellington, Horowhenua-Kāpiti, Nelson-Marlborough, Otago and Southland from March 2020 to November 2022, a ministry statement said on Tuesday.

The transport files were nationwide for the four years up to last month, ministry chief operating officer Carl Crafar said.

While it had blocked access to data there was no evidence at this stage that the data had been taken, he said. However a statement from the Office of the Privacy Commissioner soon after – which did not name the ministry – raised the possibility of information being copied.

The ministry said the cyber security incident did not target its systems directly but it was affected through the external company that provided information technology services to a “third party provider” the ministry had contracts with.

“We acknowledge that this incident has affected information that is sensitive. We will continue working to understand the extent of the incident," Crafar said.

The Chief Coroner had been told. The ministry was working with the suppliers and various government agencies including Police, the National Cyber Security Centre, and the Office of the Privacy Commissioner, to understand the extent of the problem.

Soon after the ministry’s statement was released, the Privacy Commissioner issued its own statement saying there had been a ransomware attack on Mercury IT which provided a wide range of IT services to customers across New Zealand.

The statement did not name the ministry as one of the customers but it said urgent work was under way to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system.

It was first told of the ransomware attack on November 30.

“It is important that people who receive or find information related to this, or any other cyberattack, do the right thing. Do not spread it. Do not share it. Report it to the New Zealand Police. No one should contribute to its widespread dissemination. Spreading this information or profiteering from it causes anxiety and distress to victims,” the Privacy Commissioner said.

The Ministry of Justice said it would not provide more detailed information about its response to the incident because “malicious actors” behind such activity could monitor public comment. The National Cyber Security Centre repeated that advice, saying public statements could be used to further leverage the incident and cause harm to others.