Mercury IT

Mercury IT operates as a managed service provider (MSP) headquartered in New Zealand, delivering information technology services and support to other organizations. Its core business involves managing and maintaining client IT infrastructure, systems, and operations, which positions it as a critical component within the technology supply chains of its downstream customers. The nature of its services means it handles sensitive data and possesses administrative access to client environments, creating a significant trust relationship and a concentrated risk profile. The company's operational scope is defined by its role in supporting the digital functions of various New Zealand-based enterprises, though specific market sectors or client counts are not detailed in the available information. Its business model is inherently dependent on the security and reliability of its own systems, as a compromise at Mercury IT directly threatens the continuity and confidentiality of its clients' operations and data.

The defining event in the known public record for Mercury IT is the cyber security incident confirmed on 30 November 2022. This incident resulted in the compromise of Mercury IT's own systems, which subsequently disrupted the operations of its customers and led to the exposure of personal information. The severity and cross-organizational impact of the breach prompted a formal response from New Zealand's national cybersecurity agency, the National Cyber Security Centre (NCSC), and the Privacy Commissioner. This regulatory involvement underscores the incident's significance and the sensitive nature of the data Mercury IT processes. The subsequent response actions, as coordinated with authorities, focused on containing the breach, securing compromised data, and facilitating notifications to individuals whose personal details may have been accessed. This event establishes Mercury IT's operational context as an MSP where a security failure has profound downstream consequences, attracting direct oversight from national privacy and cybersecurity regulators. The incident serves as a key reference point for understanding the company's risk environment and its obligations under New Zealand privacy law to protect the information it holds on behalf of clients.