Cyber Incident Victim: Auxo Software
Date:
Feb 2024
Location:
New Zealand
Summary
A software company providing services to automotive dealerships and workshops experienced a cyberattack resulting in unauthorized access and extraction of confidential client data, including individual customer information from mechanics' workshops. Hackers issued a ransom threat to publish the stolen data on the dark web if demands were unmet, prompting the victim to secure a High Court injunction prohibiting misuse of the datasets. The company engaged international cybersecurity and legal experts, notified affected customers, and reported the incident to law enforcement and privacy authorities. A linked dealership confirmed its internal systems were uncompromised but is investigating potential exposure of its data through the third-party breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2024, overseas hackers executed a cyber attack against Auxo Software, a provider of automotive workshop and dealership management systems wholly owned by New Zealand’s Motor Trade Association (MTA). The attackers copied and extracted confidential client information stored within Auxo’s systems, which included individual customer data collected from mechanics’ workshops. Auxo, rebranded from Australasian Automotive Business Solutions Ltd after its 2021 acquisition by MTA, serves approximately 50% of New Zealand’s vehicle workshops and 40% of dealerships. The hackers issued a ransom demand, threatening to publish the stolen datasets on the dark web if unpaid, a scenario described in High Court documents as a “credible threat and significant risk.” Auxo filed an urgent High Court application under its former legal name, resulting in Justice Timothy Brewer issuing a restraining order against unidentified defendants to prevent the use, sharing, or publication of the stolen data. Hamilton dealership Coombes Johnston European Ltd was specifically named in court filings as a potential data exposure victim, though its internal IT systems remained uncompromised. Auxo CEO David Murdoch confirmed the attack had been “contained” but declined to specify mitigation steps or the ransom amount, citing ongoing investigations.
Auxo engaged international legal and cybersecurity experts and directly notified affected customers, though the total number of compromised clients remains undisclosed. Coombes Johnston initiated its own external investigation to determine the extent of its data involvement while emphasizing that its systems were not breached. New Zealand Police and the Office of the Privacy Commissioner were notified of the incident. Murdoch acknowledged the practical limitations of a New Zealand High Court injunction against offshore threat actors but characterized it as a “belt and braces” measure to demonstrate due diligence in protecting customers. Auxo also indicated readiness to pursue similar legal orders in Australian courts if required, reflecting its trans-Tasman client base. The breach marks the second major incident within a year involving New Zealand driver data, following the March 2023 ransomware attack against financial firm Latitude that exposed over one million driver’s licenses. No further details regarding data recovery, ransom payment, or hacker identification were disclosed.