New Zealand's stock exchange (NZX) has admitted its cyber-security wasn't up to scratch when it fell victim to a spate of cyberattacks this year.
The spy agency admitted on Monday it was caught off-guard by the attacks on numerous organisations.
But security experts say that was just the tip of the iceberg of cyber-crime targeting our country and not even our government is immune.
Sam Pickles, one of the country's top cyber attack defenders, says his company RedShield has seen a surge in attacks aimed at Aotearoa.
"We're seeing around 3000 to 5000 attacks per minute," RedShield co-founder Sam Pickles told Newshub.
"We would have seen an increase of maybe tenfold in New Zealand this year alone."
RedShield's map of attacks in real-time shows how much of a target we are.
You can't even see our country because it is covered in so many cyber attacks right now.
Newshub understands the attack on NZX was the largest in our history.
Four hundred gigabytes of traffic had slammed its system every second. Even intelligence officials were caught off guard.
"What we saw with the attack on the NZX was a more sophisticated and determined actor than we had seen before," GCSB Director-General Andrew Hampton told Newshub.
On Monday, the NZX admitted it wasn't prepared.
"NZX accepts that it did not meet its high standards in certain areas of its technology systems," it said in a market update.
For the first time, Newshub can reveal how it happened.
Devices in Russia, China, the US, UK, Eastern Europe, Vietnam, the Philippines, and even inside New Zealand were taken over and used to silently bombard the NZX, shutting its system down.
But the exact location of the person behind it remains a mystery.
"No-one knows exactly who it is, but it's our assessment and our partners' assessment that it's not a state-sponsored actor, that it's a criminal actor," Hampton said.
Newshub understands that the week after the first attack on the NZX, the spy agency, the Government Communications Security Bureau, ran an assessment of every government agency's systems to check if they were safe.
That suggests it wasn't sure that they were.
"The NZX attacks were a DDoS attack, the organisations who are best placed to respond to DDoS attacks are the organisations themselves - their security providers," Hampton said.
But it's now added DDoS attacks to its remit.
It's been a wake-up call for companies too, with many now paying for controlled attacks, to find their weaknesses.
"There has been a degree of complacency within some organisations in New Zealand thinking that perhaps we were a safe haven from cyber attack - obviously we aren't," Pickles said.
And as the NZX learned the hard way, complacency is now no longer an option.