Cyber Incident Victim: New Zealand Nurses Organisation

On or around November 1, 2016, the New Zealand Nurses Organisation (NZNO) experienced a data breach affecting approximately 47,000 members. The incident occurred when an NZNO staff member received a spear phishing email impersonating the organization's chief executive, requesting names and contact details of all members. Believing the request to be legitimate, the staff member compiled and sent a file containing members' first names, surnames, and email addresses to the fraudulent email account. The organization's IT team later attempted to recall the email and contacted Yahoo, the email service provider associated with the recipient address, but these retrieval efforts were unsuccessful. NZNO promptly reported the incident to New Zealand Police, the Office of the Privacy Commissioner, and the Department of Internal Affairs following discovery of the breach.

The compromised dataset contained no financial information or other sensitive personal details beyond names and email addresses. NZNO notified all affected members via email about the breach and engaged IDCare, a nonprofit identity support service, to provide assistance. IDCare assessed the risk level as moderate, warning that members could become targets of phishing campaigns leveraging the exposed information. The organization maintained open communication with privacy regulators throughout the response process. No evidence suggested further dissemination of the data beyond the initial recipient at the time of reporting, though the criminal nature of the recipient's intent remained a primary concern. The breach originated entirely from the successful deception of staff through a targeted email impersonation attempt rather than technical system vulnerabilities.