Cyber Incident Victim: Gravitas

On or before July 15, 2020, the New Zealand Police terminated their contract with Auckland-based research firm Gravitas following a data breach involving sensitive information about police complainants. The breach occurred when Gravitas lost control of the data during a cyberattack attributed to Nigerian hackers. Gravitas detected the incident and proactively alerted the New Zealand Police to the unauthorized access and loss of complainant information. The firm also formally reported the incident to law enforcement as a criminal act, prompting the Police to initiate their own investigation into the breach. Assistant Commissioner Jevon McSkimming publicly acknowledged the incident in early July 2020 without initially disclosing Gravitas as the involved third party.

The breach directly compromised personal information belonging to individuals who had filed complaints with the New Zealand Police, though specific details about the number of affected individuals or exact data elements were not disclosed publicly. As a consequence of the security failure, the Police severed their contractual relationship with Gravitas, ending the firm's involvement in handling sensitive police data. The Police investigation into the Nigerian hacking operation remained active at the time of the contract termination announcement. No information was provided regarding whether stolen data was misused, whether ransom demands were made, or whether Gravitas had implemented specific security measures prior to the attack. The incident demonstrated operational risks associated with third-party data handling and resulted in immediate reputational and contractual consequences for the vendor.