Cyber ​​minister needed as attacks surge, security expert says


New Zealand needs a dedicated cybersecurity minister, says industry expert, on back of healthcare provider hack.

A cyberattack siphoned off Pinnacle Health Network patient data and insights September 28 and it was downloaded from the dark web.

Attacks are on the rise around the world, said CyberCX Executive Director of Security Testing and Assurance Adam Boileau, and governments need dedicated resources to protect cyber and civilian infrastructure.

“We need a dedicated cybersecurity minister to protect and regulate an industry that is at the heart of everything we do.”

* 350 cyberattacks on New Zealand last year, a third of them by state-sponsored exploitation groups
* Major Data Breach at Spotless Cleaning and Restoration Company
* Hackers publish customer data removed from Auckland financial services firm on dark web


Patient information held by PHO Pinnacle was allegedly compromised in a cyberattack (video first posted on Tuesday).

New Zealand’s privacy laws were enacted when cyberspace and security were different issues, and needed to keep pace because security, privacy and information were fundamental to society, he said.

“Entrusting security and data protection to the private sector is no longer enough,” he said.

“Australia appointed its first-ever cybersecurity minister a few months ago, and we’ve already seen the value of a dedicated role.”

He said following a “massive” data breach at Australia’s largest telecommunications company, OptusNew cybersecurity minister Clare O’Neill moved quickly and publicly to hold the company to account and strengthen the legislation.

“It’s an example we should learn from – while New Zealand is geographically isolated, it makes no difference in cyberspace.”

Pinnacle chief executive Justin Butcher (right) said patient information was compromised in the cyberattack.


Pinnacle chief executive Justin Butcher (right) said patient information was compromised in the cyberattack.

Privacy Commissioner Michael Webster would not comment on whether there should be a single minister for cybersecurity – instead of having multiple ministers whose portfolio responsibilities included a cybersecurity component.

But he said Pinnacle’s breach was a timely reminder that everyone respects the personal information of others by not accessing any stolen information posted online.

“Any information from this breach could be sensitive, which could cause a great deal of anxiety for those affected.”

Individuals affected by the breach should be alert to emails, phone calls, and text messages claiming to be from Pinnacle, financial institutions, telecommunications carriers, government, or other agencies asking you to click link, provide personal or identifying information, or request that you provide remote access to your device.

He encouraged those affected to enable two-factor authentication on their accounts to add an extra layer of security.

“Unfortunately, scammers and cybercriminals take advantage of privacy breach events to attempt to trick community members into providing personal, account or credential information, infecting devices or motivate individuals to perform actions as part of a scam.

“If you receive or find this information, do the right thing – notify Pinnacle and the police. Do not access or share the information and keep it in quarantine until told to delete it .

He said protecting privacy and cybersecurity required vigilance and regular review to ensure processes remained fit for purpose.

“Cybercriminals are constantly evolving their approaches.”

A Pinnacle spokesperson said the 0800 number set up for those affected had received 187 calls.


A Pinnacle spokesperson said the 0800 number set up for those affected had received 187 calls.

Webster said a key lesson from the Optus breach in Australia was “the critical importance” of only collecting and keeping the information you need.

“The more data an organization holds, the greater the potential harm. Organizations can mitigate this risk by ensuring that they only collect the personal information they need for business purposes, that they adequately ensure that it is protected from harm, and then destroy it in safely when they are no longer needed.

He said all organizations should have a privacy or data breach response location, which has been tested the same way you would have a fire or disaster response plan. earthquake.

“It has to be part of the muscle memory of an organization. This includes how you would communicate with potentially affected people as you undertake triage to identify those who are actually affected.

“Cybercriminals and scammers will not wait for you to complete your processes and your customers/clients have the right to take action to protect themselves.

“Cyberattacks are increasing, and so are the costs to prevent and respond to them.”

A Pinnacle spokesman said the 0800 number set up for those affected had received 187 calls – as of midday on Tuesday – and no particular themes had emerged.

The information and data collected related to past and present patients and clients of Pinnacle Group in Waikato, Lakes, Taranaki and Tairāwhiti districts.

It also included the practices of Primary Health Care Ltd of Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.

This attack followed the Waikato District Health Board hack in May last year when sensitive patient data was stolen.

Netsafe would not comment on whether New Zealand needs a cybersecurity minister or on cybersecurity and legislation in New Zealand.


About Author

Comments are closed.