Cyber Incident Victim: Smartpay

On June 10, 2023, the eftpos payment system operator SmartPay publicly disclosed it was investigating a cybersecurity incident. The company stated the incident involved some of its systems located in New Zealand. In an official statement released to the NZX stock exchange, SmartPay confirmed that criminals had successfully stolen information. This stolen data pertained to a group of the company's customers operating in both New Zealand and Australia. The immediate response to the incident involved taking steps to contain the breach. The company engaged cybersecurity specialists from the firm CyberCX to assist with the investigation and response efforts. Relevant government authorities were also notified and involved in the process.

As part of its initial public communications, SmartPay stated that its highest priority was understanding the specific contents and the full extent of the data that had been stolen. The company's ongoing response efforts were focused on prioritizing the safety and security of its systems and the services it provides to its customer base. Despite the security incident, SmartPay assured its clients that there was no interruption to their core payment processing services. The company's customers, which include retail and hospitality businesses, were able to continue using their eftpos terminals without disruption. The company explicitly advised that there was no immediate action required from its customers and committed to contacting any affected customers directly.

A significant point of clarification provided by SmartPay was regarding the type of data it handles. The company stated that it does not collect or store individual cardholder information or details as part of its standard transaction processing. This indicates that the stolen information was likely related to its business customers rather than the financial data of consumers using payment cards at terminals. The incident had a direct and immediate financial impact on the company itself. Following the announcement of the cyber attack, SmartPay's shares on the New Zealand stock exchange experienced a decline. The company’s share price dropped by 3.88 percent, closing at seven cents per share on the day the news broke.

The broader market context on the day of the announcement was relatively quiet. The benchmark S&P/NZX 50 Index ended the trading week on Friday with a gain of 0.96 percent, or 112.593 points, closing at 11800.040 points. Market activity was moderate, with 54 stocks rising and 39 falling, and a total of $7.25 million in shares traded. A director at Jarden, Greg Main, commented that the main theme influencing the market that day was the reweighting of stocks in the FTSE and S&P indices, which created some specific movements. He also noted that the New Zealand market had benefited from a rally in the United States over the preceding two days, but stated there was no consistent theme across the market overall. Other notable gainers in the market included Vista, Ebos, Vital Health Care, and Fisher & Paykel Healthcare.

Coinciding with the news in New Zealand, United States stock markets also experienced significant gains overnight. The S&P 500 rallied by 1.2 percent, reaching its highest level since April 2022. The Dow Jones Industrial Average climbed 428 points, representing a 1.3 percent increase, and the Nasdaq composite rose by 1.1 percent. This upward movement marked the sixth straight gain for the S&P 500, representing its longest winning streak since late 2021. The market's performance was set against the backdrop of the Federal Reserve's recent warning that it could raise interest rates two more times within the year as part of its ongoing battle against inflation. The Fed's benchmark rate was already at its highest level since 2007.

The Federal Reserve's strategy aimed to find an equilibrium for interest rates that would slow American spending enough to control inflation without triggering a deep recession. Economic reports released on the previous day presented a mixed picture regarding the effectiveness of this effort. Despite the Fed's hawkish stance, the market's relentless rise fostered hopes among investors that the Fed might ultimately raise rates only once more and that the economy could avoid a painful recession. Since hitting a low in October of the previous year, the stock market had leaped nearly 24 percent, driven by an economy that had so far avoided a recession and a steady decline in inflation from its peak the previous summer. The S&P 500 closed at 4,425.84, a gain of 53.25 points. The Dow Jones Industrial Average finished at 34,408.06, up 428.73 points, and the Nasdaq ended the day at 13,782.82, an increase of 156.34 points.

The incident at SmartPay underscores the financial and operational risks that cybersecurity events pose to modern payment processors. While the company managed to maintain service continuity for its merchants, the theft of customer data and the subsequent drop in its share price highlight the tangible consequences of such breaches. The engagement of external cybersecurity experts from CyberCX indicates a response prioritizing expert containment and forensic analysis. Involving government authorities aligns with standard incident response protocols and regulatory expectations for significant cyber events. The company's primary investigative focus on determining the scope and nature of the stolen data is a critical step for managing the aftermath, including potential regulatory obligations and communications with affected parties. The assurance that no individual cardholder data was compromised likely served to mitigate broader consumer concern, focusing the impact primarily on its business clientele. The market's reaction, though negative for SmartPay specifically, was absorbed within a day of generally positive broader market activity, demonstrating how company-specific news can generate outcomes independent of larger market trends.