Cyber Incident Victim: LANtech

On May 29, 2023, Auckland-based IT services firm Lantech experienced a cyber security incident. The attack impacted the company’s vOffice platform. A limited number of customers were affected by this breach. The incident was brought to public attention following an anonymous tip-off to the New Zealand Herald. Lantech chief executive Ray Noonan confirmed the event, stating that as soon as the company became aware of the issue, it engaged external specialist support for assistance. The investigations into the breach were described as being in their early stages at the time of the initial report. Lantech also informed and began working with relevant government agencies in response to the incident. Direct communication was established with the customers who were impacted by the event, and the company was in contact with the office of the Privacy Commissioner.

Fire and Emergency New Zealand (Fenz) was identified as a customer of Lantech, featuring in a case study on the IT firm’s website. When contacted for comment, both Lantech and Fenz declined to discuss the cyberattack. Lantech refused to comment on individual customers, and Fenz referred all questions back to the IT services company. However, when asked to confirm the operational status of its systems as a matter of public interest, a spokesman for Fire and Emergency New Zealand stated that all of its systems were operational. This confirmation indicated that the emergency services provided by Fenz were not disrupted by the incident affecting their IT supplier.

The nature of the cyberattack was not publicly disclosed by Lantech. When specifically asked by the Herald if the incident was a ransomware attack, Chief Executive Ray Noonan declined to provide additional comment. He stated that the company was not prepared to discuss the nature of the incident or its response at that time, citing concerns that malicious actors could be aware of public statements about such incidents. This refusal to categorize the attack left its specific mechanics undetermined in the public reporting.

The incident at Lantech occurred within a broader context of increasing cyberattacks targeting IT services companies, particularly those that host managed services for multiple clients. Brett Callow, a threat assessment analyst with the New Zealand-based cybersecurity firm Emsisoft, provided general commentary on the trend, noting that a breach of an IT provider could potentially give an attacker access to the data of many of its customers. This observation highlighted the systemic risk posed by such attacks on service providers.

A prior example of this type of attack was referenced with the December ransomware attack on Wellington-based Mercury IT. In that incident, files hosted for a range of clients were compromised, including those of health insurer Accuro, BusinessNZ, the NZ National Nurses Association, and the Coroners Court. This precedent illustrated the potential for a single attack on an IT supplier to have widespread consequences across its customer base.

The governmental response to such cyber threats in New Zealand was also part of the contextual background. In October of the previous year, Justice Minister Kiri Allan had ruled out making it illegal to pay a ransomware demand. She stated that such a move would criminalize the victims of these attacks. This stance was reiterated by the Minister the month prior to the Lantech incident, in April 2023. This policy position contrasted with initiatives in Australia, as detailed in that country's recent 2023 Budget. Australia earmarked A$46.5 million to establish a Co-ordinator for Cyber Security to coordinate multi-agency efforts during a cyber incident. The Australian Budget also significantly increased funding for its e-Safety Commissioner and allocated A$86.5 million to establish a new National Anti-Scam Centre, which included plans for an SMS Sender ID Registry to help prevent scammers from imitating trusted brands. These substantial investments in cybersecurity capabilities were not matched by similar initiatives in New Zealand's own 2023 Budget.

Concurrently, another unrelated IT incident was reported in New Zealand involving InternetNZ, the administrator for the .nz domain. Earlier in the same week as the Lantech disclosure, a routine annual upgrade of security keys went haywire, taking multiple websites and applications offline. InternetNZ denied that recent staff changes had contributed to this outage and was still working to establish the precise reasons for the failure at the time the article was published. This event served as another example of the fragility of digital infrastructure.