From the Privacy Commissioner of New Zealand’s office, this statement:
Headline: Nurses data breach: what happened and how to get help
If you’re one of the 47 thousand members of the New Zealand Nurses Organisation (NZNO) whose names and email addresses were accidentally disclosed to a criminal third party, you might be wondering what you can do about it. The first thing you need to do is to try and understand what happened and what the risks are to you.
The NZNO yesterday notified our Office – as we would expect – that it had fallen victim to a spear phishing scam. An NZNO staff member received an email purportedly from its chief executive asking for names and contact details of all its members. Unfortunately, these details were sent to that email address before it became clear the request was fraudulent. The information lost consisted of the first names, surnames and the email addresses of all its members.
NZNO advised us that its IT team attempted to retrieve the email but it was too late. It also attempted to contact the email address provider, Yahoo. The organisation reported the incident to Police and has emailed its members to inform them about the breach.
The organisation also notified the Department of Internal Affairs and IDCare, an NGO that provides advice to victims of identity theft. NZNO has confirmed the only information breached was members’ names and email addresses. No financial or other personal information was disclosed.
How we can help
Accidental disclosure of personal information is a risk that every agency holding personal information faces. Our Office provides guidance on safeguards that can be put in place to minimise this risk, but it is always present. Whether the cause is a malicious third-party, a software error, or human error, the risk is never zero.
As well as advice about how to prevent unwanted disclosures (or data breaches), our Office has guidance about how to manage the breach once it has occurred. Although this resource is written to guide agencies, it does give useful information for individuals who have been affected by a data breach.
If you are one of the nurses affected, here’s what you can do:
Contact the NZNO and find out as much as you can.
Find out what information has been disclosed, who it has been disclosed to, and what steps the organisation is taking to resolve the issue.
Understand what information is at risk. This can help you identify passwords that may need to be reset, or prepare for other consequences of your personal information being disclosed. In its assessment of the NZNO incident, our colleagues at IDCare concluded there was a moderate risk that members would receive phishing emails resulting from this event.
Finally, if you’re concerned about a perceived lack of action or transparency about what is being done, you can contact our Office. We have been in contact with the NZNO and it has been open in its communication with us. But one of your rights in these circumstances is to make a complaint for us to investigate your individual case.
Data breaches can affect organisations large and small. This data breach occurred as a result of a response to a malicious spear phishing email that a staff member received and responded to. Spear phishing emails are emails that deceive recipients into believing that they are responding to a legitimate request. These emails can happen to anyone at anytime. We’ve written about another incident of spear phishing here.
All organisations need to be very vigilant about the emails received by its staff. Phishing emails can look incredibly authentic. Staff should be reminded to be cautious about clicking on links or attachments. And remember to check the email address to see whether it is one the sender uses.