Thousands of coronial files, post-mortem reports caught up in Ministry of Justice hack

Thousands of coronial files, post-mortem reports caught up in Ministry of Justice hack
Photo credit: Getty Images

Thousands of coronial files and post-mortem reports are caught up in a cyber security incident at the Ministry of Justice.

The hack didn't target the ministry's systems directly, it said. Rather the external company affected provides IT services to a third-party provider the ministry has contracts with.

Ministry of Justice chief operating officer Carl Crafar said at this stage, it's believed the incident affected access to approximately 14,500 coronial files relating to the transportation of deceased people, and approximately 4000 post-mortem reports.

The coronial transport files are for cases nationwide from November 2018 to November 2022. The post-mortem data relates to files from Northland, Waikato, Bay of Plenty, Taranaki, Wellington, Horowhenua-Kāpiti, Nelson-Marlborough, Otago, and Southland from March 2020 to November 2022.

The Ministry of Justice was told about the incident on November 30 and immediately informed the relevant government authorities.

Crafar said while the cyber security incident had blocked access to the data, there was no evidence at this stage the data had been taken. However, the ministry couldn't rule that out and the incident is being investigated by cyber security experts.

"We acknowledge that this incident has affected information that is sensitive. We will continue working to understand the extent of the incident," Crafar said.

"We are conscious that so-called malicious actors behind such activity can monitor public commentary on incidents of this nature so will not be providing more detailed information on our responses at this time."

Although the incident is related to an external supplier's systems, the Ministry of Justice is working with the suppliers and other government agencies, including the National Cyber Security Centre, Office of the Privacy Commissioner, Police, and CERT NZ to fully understand the extent of the issue. The Chief Coroner has also been informed.

The Office of the Privacy Commissioner said there had been a cyber security incident involving a ransomware attack on Mercury IT.

"This is an evolving situation. We were notified of the cyber security attack on 30 November 2022. Urgent work is underway to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system," they said.

"The Office of the Privacy Commissioner is planning on opening a compliance investigation into this incident so that it can make full use of its information gathering powers. We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner."

They said cyber security breaches are becoming a regular occurrence, and while work is underway to respond to this incident, they have some messages for people and organisations.

"It is important that people who receive or find information related to this, or any other cyberattack, do the right thing. Do not spread it. Do not share it. Report it to the New Zealand Police. No one should contribute to its widespread dissemination. Spreading this information or profiteering from it causes anxiety and distress to victims," they said.

"For individuals - be on the lookout for anything out of the ordinary. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source."

More information is available here if people would like to know more about steps they can take to protect themselves from privacy breaches.

"For organisations who hold the personal data of New Zealanders. You have a responsibility under the Privacy Act to take all reasonable steps to ensure that information you hold in trust is safe from cyber-security breaches. This includes where services are contracted from a third party," the Office of the Privacy Commissioner said. 

"A failure to take these steps is a breach of the Privacy Act and can result in compliance and enforcement action. This can include the requirement to 'put things right' – for the impacted individuals and in terms of information security systems and processes. There is no room for any organisation to be complacent. Trust is hard won and easily lost."

Corry Tierney, director at Mercury IT, also confirmed they were told on November 30 that they were a victim on a cyber incident. He said a "malicious and unauthorised actor" gained access to their server environment.

"This was immediately escalated to senior management. The incident was raised with relevant government authorities, and we have engaged external specialist support," Tierney said.

"Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment. We are committed to supporting our impacted clients with their own investigations wherever possible and we apologise, sincerely, for the impact this attack has caused.

"We cannot provide further information on the impact and our mitigation at this time as the actors behind this incident, or others, can leverage any publicly available information."

For those who think they may be affected by the Ministry of Justice breach, they can email or dial 0800 638 924. The 0800 number will be open from 8:30am to 5pm from Wednesday.