Cyber Incident Victim: Mercury IT

On November 30, 2022, New Zealand’s National Cyber Security Centre (NCSC) publicly acknowledged an ongoing cybersecurity incident affecting Mercury IT, a managed service provider (MSP). The NCSC initiated a coordinated response effort, working directly with Mercury IT and other relevant agencies to assess the scope and severity of the breach. Organizations utilizing Mercury IT’s services were advised to immediately review their systems for indicators of unauthorized access or anomalous activity, suggesting potential compromise of client networks through the MSP’s infrastructure. The NCSC emphasized the incident’s significance due to the inherent risks posed by MSP breaches, which can cascade across multiple downstream customers. Impact assessments remained ongoing at the time of the announcement, with no definitive public confirmation of the specific attacker methodologies, data exfiltrated, or total number of affected entities.

The Office of the Privacy Commissioner concurrently issued guidance underscoring the incident’s potential implications for personal information security. Organizations relying on Mercury IT were urged to proactively audit their data holdings to identify any compromised personal data, adhering to mandatory breach reporting obligations under New Zealand’s Privacy Act if thresholds were met. This guidance highlighted the necessity for robust incident response plans, particularly for third-party service provider compromises. The NCSC maintained its advisory role, offering direct support to Mercury IT’s affected customers while continuing its investigation alongside the MSP. No further details regarding containment measures, restoration timelines, or attribution were disclosed publicly as the incident response progressed.