Cyber Incident Victim: Master Builders

On or around May 29, 2023, a cybersecurity incident impacted Master Builders, an industry group in New Zealand. The incident was not a direct attack on Master Builders itself but was instead the result of an attack on its IT service provider, Lantech. This Auckland-based IT services provider experienced a cyber attack on that date, which impacted a number of its customers, including Master Builders. The attack targeted one of the platforms Lantech uses to host its clients' websites and services.

The primary impact of this incident was a multiday outage that rendered Master Builders' websites inaccessible and took various member services offline for nearly a week. The websites were restored and came back online on the morning of June 1, 2023. During the outage, members of the Master Builders organization were unable to download contracts or lodge their Master Build 10-Year Guarantee applications via the website. These are critical services for members who rely on them for their business operations and client engagements. Despite the online services being unavailable, members could still phone or email the organization to receive the necessary paperwork, ensuring some level of business continuity, albeit through less efficient, manual processes.

Master Builders engaged with its service provider to work on restoring the systems. A spokeswoman for Master Builders stated that the organization was working closely with Lantech to address the issue and bring the hosted platforms back online. The investigation into the cause and full scope of the incident was ongoing, with Lantech and Master Builders collaborating with relevant government agencies. Lantech's chief executive, Ray Noonan, confirmed that the company had been informed about the attack and was working with these agencies, but he declined to comment on individual customers, stating that Lantech had been in direct contact with all impacted organizations.

A significant aspect of the response was communication. Master Builders provided its members with regular updates regarding the incident and the status of the service outage. This was done to keep members informed about the progress of restoration efforts and to manage the impact on their activities. The organization's spokeswoman publicly stated that their IT provider had advised there was no evidence that Master Builders' data was breached. This point was emphasized as a key finding in the initial stages of the investigation, though it was noted that investigations were continuing to confirm this assessment definitively.

The incident highlighted the broader risk associated with attacks on managed service providers. A threat assessment analyst noted that a breach of an IT provider could potentially give an attacker access to the data of many of its customers. This incident occurred within a context of increasing cyberattacks on IT services companies in New Zealand, particularly those hosting managed services. For example, in December of the previous year, a ransomware attack on another IT provider, Mercury IT, compromised files for several clients, including a health insurer, business groups, and a court. This pattern demonstrates the cascading effects a single attack on a service provider can have across multiple organizations and sectors.

The response to the Master Builders incident involved both the affected organization and its supplier. Lantech took responsibility for managing the technical response to the attack on its infrastructure while keeping its clients apprised of the situation. The involvement of government agencies indicates that the incident was considered significant enough to warrant official attention and investigation. However, specific details regarding the nature of the attack, such as whether it involved ransomware or another type of malware, were not disclosed by either Master Builders or Lantech. Similarly, no specific threat actor was identified in the public reporting on the event.

Financial and regulatory contexts were also part of the surrounding reporting, though not directly tied to the Master Builders event. The article noted that New Zealand's Justice Minister had recently ruled out making it illegal to pay ransomware demands, a stance reiterated just a month prior. This was contrasted with contemporary cybersecurity funding initiatives in Australia, which included millions of dollars for a new Cyber Security Coordinator and anti-scam centers. These comparisons were made to illustrate differing national approaches to cybersecurity threats but were not presented as a direct response to the Lantech or Master Builders incident.

Consequences of the outage for Master Builders were primarily operational and reputational. The extended loss of online services likely caused inconvenience and potential delays for its members, potentially affecting their business transactions and client service delivery. The need to resort to manual workarounds like phone and email would have increased administrative burdens on both members and the Master Builders staff. The fact that the organization felt compelled to publicly address the incident and reassure members about the integrity of their data indicates a concern for maintaining trust and confidence among its membership base.

In the immediate aftermath, the focus was on restoring services and confirming the security of member data. The continued investigation by government agencies suggests that a full forensic analysis was underway to understand the attack vector, the extent of any potential data access, and to attribute the incident to a particular threat group if possible. The refusal of both Master Builders and Lantech to disclose further details was framed as a standard practice during an ongoing investigation, aiming to protect the integrity of the investigative process and the security of the systems involved. The incident served as a concrete example of the systemic vulnerabilities inherent in relying on third-party IT providers, where a single point of failure can disrupt numerous downstream organizations.