Quarter One Cyber Security Insights 2024

This quarter, CERT NZ responded to 1,530 incident reports about individuals and businesses from all over Aotearoa. This report shares information about these incidents as well as highlights examples of work CERT NZ is doing to help. There are two parts to the report:

A Highlights Report focusing on selected cyber security incidents and issues.

A Data Landscape Report providing a standardised set of results and graphs for the quarter.

$6.6 million in direct financial loss was reported in Q1, up 84% from Q4 2024. 19% of incidents reported financial loss.

1,530 incidents were responded to by CERT NZ in Q1 2024, down 20% from Q4 2023.

The biggest drop in number of reports was in the Phishing and Credential Harvesting category which saw a 40% decrease on Q4 2023.

Scams while buying or selling goods online went up by 15% from 214 in the previous quarter to 247 in Q1 2024.

A total of 1,530 incidents were responded to in Q1 2024.

YEAR	QUARTER	INCIDENTS
2024	1	1,530
2023	4	1,903
2023	3	2,136
2023	2	1,950
2023	1	1,968
2022	4	1,757
2022	3	2,069
2022	2	2,001

Phishing and Credential Harvesting remains the most reported incident category in Q1 2023 despite a 36% drop in the number of reports.

2024 quarter 1 incidents by category graph

Incident category	Incident count	Percent change from previous quarter
Phishing and credential harvesting	699	-36%
Scams and fraud	487	-1%
Unauthorised access	166	1%
Malware	31
Website compromise	25	+32%
Ransomware	12	+50%
Suspicious network traffic	4	+300%
Denial of service	3	+50%
C and C server hosting	1	0%
Botnet traffic	1	0%
Attack on system	0	-100%
Other	101	+9%

Focus Area: Battling Breaches

Data breaches are a significant concern for organisations of all sizes and their clients and customers.

A data breach occurs when an unauthorised person gets access to information they shouldn’t have. This can include anything from names and email addresses to credit card details, passwords, and intellectual property.

How it happens

Data breaches can happen because of an intentional attack or unintended error.

Cybercriminals can exploit vulnerabilities in systems or networks to access your data.
Someone in your organisation may be targeted in a phishing attack and tricked into revealing important information, such as their login details.
Insider threats can be a source of a data breach. Anyone with authorised access could misuse their privilege or intentionally leak information.
Data can also be leaked through human error, such as in an email to the wrong person, or through misplaced or stolen devices containing sensitive information.

Effects of a breach

A data breach can affect your organisation in many ways.

Financial: your organisation could incur costs such as legal fees, penalties and the cost of remediation.
Reputational: a data breach can erode customer trust and affect brand credibility.
Legal: if you are a business owner, you are obligated by the Privacy Act 2020 to protect peoples' personal data and to report breaches promptly.
Personal: stolen personal data can lead to identity theft, financial fraud, and other malicious acts.
More phishing: people whose information has been leaked may become the target of more phishing attacks .

Drum up your defences

Good security practice is your best defence against potential attacks. Add layers of protection around the data you store to protect it from those who try their best to get their hands on it.

Only collect essential data from your customers. The more you collect, the more valuable it is to an attacker and the bigger the impact if it's made public.
If you’re collecting data, make sure you’re encrypting it to prevent unauthorised access. This includes while it’s:
- in transit – for example, collecting data from your customers through a web form, and
- at rest – when it’s stored in a database.
Make sure that two-factor authentication (2FA) is required to access any data you keep, to add an extra layer of security.
Make sure your software applications and systems are up to date by installing the latest updates from the vendor.
Train employees on best practices, including recognising phishing attempts and handling data securely.
Limit access to sensitive information by making sure your employees only have access to what they need to do their job.
Regularly back up data to secure locations. While this won't help prevent attacks, it can minimize the impact of data loss.

Case Study: James and the Giant Breach

James* is the IT manager of a shoe and clothing store chain called Centipod*, which has 40 employees across eight stores in New Zealand. He is alerted to a post on an online forum threatening to sell his company data, with the attacker claiming that 10,000 records are available. James realises that someone has gained unauthorised access to the database of the store’s customers.

His next actions will be crucial in deciding how the company meets this challenge. James has had previous experience of a data breach and he takes the following steps.

Containment

James identifies which system has been affected and isolates it by taking it offline. He changes the password on the administrator account and instructs all employees to do the same on theirs to prevent further unauthorised access.

Assessment

He assesses the extent of the breach and determines that information of around 10,000 customers has been compromised, validating the hacker’s claim. The attacker couldn't get credit card details, but they may have obtained customers’ email addresses, phone numbers and past invoices.

Notification

James notifies the office of the Privacy Commissioner within 72 hours, as stipulated in the Commissioner’s Privacy Breach Guidelines. He also reports the incident to CERT NZ, which advises him on next steps and how to inform his employees and customers of the breach.

Resources

Investigation

James starts to investigate how this breach happened. He discovers that a phishing email had been sent to a shared inbox claiming to come from their accounting firm. An employee had clicked on the link which took them to a page that collected their login credentials. James decides to schedule a security training workshop for all employees.

Communication

Over the next few days, Centipod employees respond to queries from customers and stakeholders, telling them how they have been affected and what they can do. Centipod also co-ordinates with CERT NZ to put up messages across its social media platforms and prepares an incident response plan to be more prepared for future incidents.

*This case study uses fictitious names to illustrate typical incidents of data breach reported to us.

Insight: A report on reports

Nearly all of CERT NZ's information comes from the general public – people like you.

When businesses and individuals report online incidents to us, we know what scam and malware campaigns are affecting New Zealand. In this way, every report not only helps you, but all Kiwi.

You can report any cyber incident confidentially. If you're locked out of your accounts, suspect you have been targeted in a scam, or if your organisation suffers a data breach, you can report it to us using the reporting tool on CERT NZ’s website.

Handling reports

CERT NZ works with partner agencies, like the New Zealand Police, the Department of Internal Affairs, banks and telecommunication companies. If you need more help, and consent to it, we can forward your report to these agencies.

You don’t have to experience an incident online to talk to us. If you think you or someone you know is being targeted in a scam, CERT NZ can provide technical advice.

What’s happening behind the scenes?

Almost half of the reports we receive are about phishing. Domains and URLs that are verified as phishing links get listed on CERT NZ’s Phishing Disruption Service (PDS). Organisations such as cyber security service providers who are subscribed to the PDS can block access to these domains so no one in the organisation they serve can get to the sites.

CERT NZ also sends takedown requests to service providers that host these domains. Often, these providers are based overseas. If they comply with our request, the website gets taken down and can’t be used to scam other New Zealanders.

But we cannot stop online attackers from creating a new domain or website and starting over again. We are alerted to these new domains when you report to us and the cycle repeats.

Insight: A case for passkeys

You might have heard some of the most popular phone apps are switching to or enabling passkeys to make logging in easier and more secure.

Passkeys are a way of logging in without passwords. They use something you have (like a USB key or your phone), or recognise who you are with your face scan, voice or fingerprint, to let you into your account. You may already have apps on your phone, such as your digital wallet, that use this form of authentication.

What happened to passwords?

Passwords are the most popular tool for authentication. But scammers are always trying to get their hands on them, and their jobs are made easier when people don't have strong passwords or use the same password for multiple accounts.

That’s where passkeys have an advantage. Passkeys are device-specific, and your data is not saved on a website server. So even if the website suffers a data breach, scammers can’t steal your credentials.

Are passwords history?

Not quite. Passwords are handy and if done right, they can be a strong line of defence. If you use long and unique passwords, attackers can’t brute force their way into your account. CERT NZ strongly advises enabling two-factor or multi-factor authentication on your most important accounts, such as banking, email and social media, to make them more secure.

Use two-factor authentication to protect your accounts External Link — Own Your Online

Most sites and apps that let you use a passkey also require you to have a backup password that helps you recover your account. Not all devices can perform face or fingerprint scans, or take external keys, so passwords remain the most common method of verifying user identity. CERT NZ has a guide on creating good passwords and protecting your online accounts.

Create good passwords External Link — Own Your Online

The upside

Using passkeys can make logging in faster.
You don’t have to create, or remember, complex passwords.
Passkeys are phishing-resistant – scammers cannot remotely log in to your account with a password because there is none.

The downside

If you lost access to all your devices at once, it can be difficult to enter your own account.
Biometric logins don’t always work and may need you to use your password. For example, when trying to use a finger scan with greasy or wet fingers, or a face scan in the dark.
Devices that read fingerprints or can recognise face scans can be more expensive. If you use an external key or a second device for authentication, that is an additional cost as well.

Sign up to the quarterly newsletter to receive CERT NZ’s reports and updates.

Subscribe