Below are the answers to some frequently asked questions around the cyber incident; what happened, our response and support for our customers.
For questions related to claims, payments and other Accuro services, please see the Service Related Frequently Asked Questions page.
What happened?
There was a cyber-incident involving our external IT provider’s (Mercury IT) infrastructure which has impacted some of our systems and services.
We are not the only client of Mercury IT’s who has been affected.
We are aware that the third party responsible for the cyber incident has now illegally released online a small set of Accuro data that was obtained in the Mercury IT cyber incident.
We believe that this represents all of the data that was accessed in the incident and that the data is from our commercial and management files, which largely contain financial information relating to Accuro. We are in the process of working with our cyber and IT advisers to analyse this data to identify what personal information it contains.
We want to reassure you that at this time we have no evidence that this information has been misused. If we discover any personal information that places you at potential risk, we will directly contact those affected with the specific steps they can take to protect their information from misuse.
What does released online mean?
The impacted data has been released on what is called the dark web. The dark web is a part of the internet that can only be accessed through special kinds of software. Most dark web websites are not directly accessible via a normal search made through a search engine (such as Google). They effectively hide themselves. They are accessible only if the addresses of those sites are known to the user.
Is my personal information involved?
Our current understanding is that this information is from our commercial and management files and largely contains financial information relating to Accuro.
We would like to assure you that we have no evidence of any misuse of personal information and that, if we discover personal information that places you at risk, we will directly contact you with the specific steps you can take to protect your information from misuse.
What steps has Accuro taken in response?
Should we observe our members’ personal information has been affected, we will directly notify the individuals at risk, advising them of any steps they need to take.
We have also proactively notified relevant regulatory and government agencies, including the Office of the Privacy Commissioner. We will continue to liaise with these agencies and take their advice.
We will continue working with our third-party cyber security and IT experts to closely monitor this incident, and should any concern be raised, we will proactively manage this accordingly.
Who can I contact for more information?
If you wish to speak to someone from Accuro, please send us an email at info@accuro.co.nz and someone will respond to you as soon as possible.
Below are some of the organisations that are here to support you should you have any specific questions or concerns about protecting your personal information:
IDCARE
We have proactively engaged IDCARE, New Zealand’s national identity and cyber support community service, who can assist you with interim advice if you have concerns about your information or are seeking guidance on how to protect your information.
To use IDCARE’s services, please visit the Accuro page on the IDCARE website www.idcare.org or you can call IDCARE on 0800 121 068. There is no cost to you for engaging with IDCARE.
Office of the Privacy Commissioner
The Privacy Commissioner has been notified about this incident. If you have further concerns, you have the right to contact the Office of the Privacy Commissioner.
You may wish to visit the Privacy Commissioner website for further information about your privacy rights and responding to cyber security incidents.
When will this issue be resolved?
We are unable to provide any information right now on when this issue will be resolved. The Accuro team is doing all it can to maintain key services, while also working with our external IT provider and advisors to respond to the cyber incident. We are continuing to process claims and collect premiums, but we are experiencing delays. We appreciate that this will be very frustrating for you and raise concerns, but we will keep you informed as we have more to share.
Please continue to check our website which will have the most up to date information.
Do I need to do anything?
We are assessing the situation on an ongoing basis and will provide further information and any advice once we know more.
Should we determine our members’, partners’ or employees’ personal information has been disclosed online, we will work as swiftly as possible to notify at risk individuals and advise them of specific steps they can take to protect their information from misuse.
In the meantime, we would encourage you to be vigilant and keep an eye out for any suspicious online activity. If you have any concerns, you can contact IDCARE (0800 121 068).
We will continue to update our website with information.
What should I do if my contact details have been exposed?
Where a third party may have access to your contact information, it is important to:
- check links – take note of what is called a ‘Uniform Resource Locator’ or ‘URL’ when on a webpage that is asking for your login credentials. This is located in the address bar of your web browser and typically starts with ‘https://’;
- take caution – if you are suspicious of the address, contact your service provider to ensure you are logging into the correct page. Do not provide your login details;
- enable additional protections – enable multi-factor authentication for your online accounts where possible and/or ensure you have up-to-date anti-virus software installed on any device you use to access online accounts;
- mobile phone porting – stay alert for mobile phone carriers indicating that your phone is no longer connected to the network where this is unusual, or you have not instructed your mobile phone carrier to terminate the connection. Where this occurs, we recommend alerting your mobile phone carrier of the issue immediately;
- review Scamwatch guidance – you may wish to review the New Zealand Ministry of Business, Innovation & Employment's Scamwatch guidance on protecting yourself from scams here: https://www.consumerprotection.govt.nz/general-help/scamwatch/
- remember that it is always good practice to review and not reuse passwords. CERT NZ provides guidance around good password practice here: https://www.cert.govt.nz/individuals/guides/how-to- create-a-good-password/; for further guidance about protecting your identity, you may wish to visit the New Zealand Government's ID Theft guidance page here: https://www.govt.nz/browse/law-crime-and-justice/identity-theft/.
What should I do if my bank account details have been exposed?
Although bank account numbers are not considered high risk (as they do not allow unauthorised access to your bank account), you should however:
- check your bank statements for unusual transactions;
- where available, use two-step authentication – such as SMS codes to your mobile phone;
- check your credit report yearly (this alerts you to any attempts to open a credit account in your name); and
- never respond to, open or click on links in emails purporting to be from your bank (it is always safer to call).
When will there be more information available?
We will continue to update our website with information as it becomes available, so please check here in the first instance. We will also be directly emailing our members and partners with important updates.
I am concerned about my personal information. Where can I go for information and/or support?
We are committed to providing you with ongoing updates as more facts are established and providing you with tailored support and advice in response.
If you have concerns about your information or are seeking guidance on how to protect your information, we recommend you visit the IDCARE website. IDCARE are New Zealand’s national identity and cyber support community service, who can assist you with interim advice.