Kiwis who flagged cybersecurity incidents in 2020 reported losses totalling $16.9 million, according to a new report from Cert NZ.

The agency said it received 7,809 reports of incidents in 2020, up 65% from 4,740 in 2019, although the total reported loss in 2019 was $16.7m.

Some 14% of the reported incidents in 2020 indicated some form of financial loss.

But the quarterly report also said the December period saw a 20% decrease in incidents reported, with 2,097, compared to the September quarter, in which 2,610 were reported.

“Most cyberattacks are financially motivated,” said Rob Pope, Cert NZ director.

“However, our figures do not paint the full picture of the types of loss Kiwis have experienced."

“From a financial perspective, the impacts of a cyberattack can snowball. A business may lose revenue because its website has gone down, meaning it’s unable to trade online. This greatly impacts individuals’ livelihoods and therefore has a knock-on effect on the economy.”

Cert NZ was established in 2017. It collects data on cybersecurity incidents reported directly to it and to other bodies such as the New Zealand police, Department of Internal Affairs, and the Commerce Commission, among others.

In August, Pope said the cyberattacks against the NZX that month, believed to have been distributed denial of service attacks, were an example of increasingly sophisticated cybercrime.

The international breach of software provider Accellion’s FTA file transfer software also publicly affected the Reserve Bank of New Zealand, with customer data accessed. A KPMG report into the breach of the bank is due this month.

Familiar trend

In today’s report, Pope praised the benefits of technology but said, “where there’s good there’s always a bit of bad”.

“Quarter four was no exception,” he said. “We continued to see how quickly attackers can evolve their techniques to try and access personal and financial information.”

The report stated 862 (41%) of all the reported incidents in the December quarter were phishing and credential harvesting incidents, the most common method of cybercrime above malware in second.

Of these reported phishing attacks, 44% came from individuals and 19% from businesses and organisations. The rest were reports from local and international partners alerting Cert about phishing campaigns.

Cert said the total of 3,410 phishing and credential harvesting incidents reported to it in 2020 was up 76% from 2019. 

Methods included email as attackers increasingly imitated popular services such as Zoom sought Microsoft account details that if provided, could lead the attackers to private sensitive information. Emails and texts impersonating courier services spiked around the festive season of the December period.

While these numbers are concerning, it is possible they do not reflect the true scale of the digital threat for New Zealanders.

In January, Network for Learning said state school network security systems blocked 2.9m cyber threats daily during term two of 2019.

Pope offered advice to businesses and individuals hoping to avoid potential cyberattacks against them.

“This includes taking measures like good password practice, implementing two-factor authentication as an extra layer of security on logins, making sure software on devices are up-to-date, regularly backing up data, and thinking about how and where you share personal information.”