New Zealand cyber agency reports return of major attacks

New Zealand's National Cyber Security Centre responded to three highly significant cyber incidents in the first quarter, the first cases of that category recorded since the 2021/22 financial year.

These C2 incidents involved key sensitive data or disruption to essential services at organisations of national significance. Such incidents can affect a wide range of people and organisations and often involve highly sensitive information.

Across the quarter, the agency handled 1,164 cyber incidents, slightly more than in the previous quarter. Phishing and credential harvesting were the most commonly reported issues.

Seventy-seven incidents required specialist technical support, down 14% from 90 in the final quarter of 2025. A further 1,087 reports did not require that level of support, up 4% from the previous quarter.

Direct financial losses reached NZD $5.6 million in the quarter, up 76% from NZD $3.2 million in the previous three months.

Individuals accounted for NZD $5.2 million of that figure. Incidents involving losses of NZD $10,000 or more totalled NZD $5.4 million, or 97% of reported losses, despite representing only 42 cases.

Phishing and credential harvesting remained the largest single category of incident, with 437 reports in the period. The figures point to continued pressure on individuals as well as larger organisations, although total reported financial losses remained below the average of the past two years.

Basic measures

Several lessons emerged from the highly significant cases, particularly around protecting sensitive information. The centre pointed to common controls such as multi-factor authentication, tighter management of privileged access, and stronger security at network edges.

"Ensuring basic cyber security measures such as multi-factor authentication, managing who has full access to the network, and protection of the network edges were in place could have helped to defend against these incidents," said Mike Jagusch, Chief Operating Officer, National Cyber Security Centre.

He also outlined what organisations should do to reduce exposure.

"Organisations have an obligation to protect their customers' and their sensitive personal information by securing their networks with NCSC's recommended, or similar, minimum-security standards," said Jagusch.

The quarter's data suggests a split between the volume of lower-level reports and the smaller number of more serious incidents that demand technical intervention. While only a minority of cases required specialist support, the return of C2 incidents marks a notable shift after several years without any at that level.

C2 incidents are treated as highly significant because they can involve sensitive data and disruption to services considered essential in New Zealand. The category applies to organisations of national significance, meaning the effects of an attack can extend beyond the immediate victim.

AI risks

The report also addressed the effect of frontier artificial intelligence on cyber security. The agency said the same class of models could help defenders identify weaknesses while also giving malicious actors new ways to find and exploit them at scale.

"Frontier AI models will change the cyber threat landscape for organisations because of the ability for malicious actors to find and exploit vulnerabilities at unprecedented speed and scale," said Jagusch, "but they also have the potential to be used to assist defence and protect systems at a similar scale and pace. For now, the best way to prepare is getting the basic security measures in place."

The warning reflects broader concern across government and industry that advances in artificial intelligence may lower the cost and increase the speed of cyber attacks. At the same time, security teams are increasingly looking at the same tools to improve detection, automate analysis, and strengthen defensive monitoring.

For New Zealand, the latest quarter combines a familiar pattern of phishing-led losses with the return of the most serious category of incident. The financial toll was driven overwhelmingly by larger loss events, with 42 incidents accounting for almost all reported losses.