Cyber Incident Victim: Smith & Caughey’s

On May 29, 2024, Smith & Caughey’s, a 144-year-old Auckland department store, publicly announced its proposal to cease operations in early 2025. The closure plan coincided with a confirmed cyberattack against the retailer, though the exact timing of the intrusion relative to the closure announcement remained unspecified in public reporting. No technical details regarding the attack vector, malware type, or initial compromise method were disclosed. The company did not release information about data exfiltration, ransomware deployment, or operational disruptions stemming from the incident. The cyberattack represented an additional operational challenge during a period of significant organizational transition, as the proposed closure would result in job losses across its retail workforce.

The simultaneous occurrence of a major business decision and a cybersecurity incident introduced reputational and operational complexities for the historic retailer. Established in 1880, Smith & Caughey’s occupied a prominent position in New Zealand’s retail sector, amplifying public interest in both events. The company’s public communications did not establish a confirmed causal relationship between the cyberattack and the closure decision. No forensic findings, threat actor attribution, or system recovery timelines were published at the time of initial reporting. The incident highlighted cybersecurity risks facing retail organizations during periods of organizational restructuring, though the specific financial or data-related consequences of the attack remained unquantified in available disclosures.