Cyber Incident Victim: Australia and New Zealand Banking Group (New Zealand)

On September 7, 2021, ANZ New Zealand experienced a widespread outage of its internet banking app and website due to a distributed denial-of-service (DDoS) attack. The incident disrupted customer access to online banking services, though ATM transactions, Eftpos, card payments, automatic payments, bill payments, and direct debits remained operational. New Zealand’s cybersecurity agency, Cert NZ, confirmed multiple organizations were simultaneously targeted by the same DDoS campaign, including Kiwibank, MetService, New Zealand Post, and Inland Revenue. ANZ acknowledged the outage publicly via social media, stating all available resources were dedicated to restoring services. By the morning of September 8, most other affected organizations had recovered, but ANZ’s systems remained offline, extending the disruption for its customers into a second day.

ANZ resolved the outage by 2:27 PM AEST on September 8, 2021, restoring full access to its digital platforms. The bank thanked customers for their patience in a public tweet following service restoration. Cert NZ had actively monitored the attacks and collaborated with impacted entities throughout the incident. The DDoS attack mirrored a 2020 incident against the New Zealand Stock Exchange (NZX), which suffered a week-long outage from similar attacks attributed to a criminal group targeting global financial institutions with extortion demands. No explicit ransom demands or threat actor attributions were disclosed in ANZ’s case. The incident highlighted recurring DDoS vulnerabilities in New Zealand’s critical financial infrastructure, though ANZ’s core transaction systems avoided compromise, limiting direct financial harm to customers.