The identity and financial information of hundreds of people have been exposed to hackers following a cyber attack on the Hutt City Council in March.
Council officials confirmed the security breach originated from a staff member responding to a phishing email. This single action allowed attackers to gain access to a 'small number' of council email accounts, which were then used to send malicious emails both internally and externally, triggering the council's cyber security incident response.
The council has revealed that the identity information of five people was compromised. Furthermore, it is understood that 732 people may have had their financial information compromised through email correspondence with the council.
'Deeply regrettable' breach
In a statement, the council described the incident as 'deeply regrettable' and said all those who were affected have been contacted and informed of the next steps. The immediate security risk was reportedly contained within a short period, but the investigation and assessment of the full impact continued for several days.
'We unreservedly apologise to anyone affected by this attack. Any exposure of personal information is not acceptable,' the council said. 'We are sorry this has occurred and acknowledge the concern it may have caused.' This sentiment was echoed by Chief Executive Jo Miller, who has been overseeing the council's response. The incident highlights the growing sophistication of cyber threats facing public and private organisations. Phishing, a method of tricking individuals into revealing sensitive information by impersonating a trustworthy entity, remains one of the most common attack vectors. According to New Zealand's National Cyber Security Centre (NCSC), such attacks are increasing in frequency and complexity, often leveraging artificial intelligence to automate scams and evade detection. Similar issues have surfaced in Wellington, where the Modern slavery bill passes first reading with bipartisan support.
We want to reassure the community that additional safeguards have been put in place and system security strengthened. We have brought forward our work programme that includes further mitigations to protect council information and prevent any further attack of this nature.
Council strengthens security measures
Ms Miller confirmed on Wednesday that the council had reported the breach to the Office of the Privacy Commissioner, a standard but crucial step in managing data breaches of this nature. The Commissioner's office provides guidance and can launch investigations into privacy breaches to ensure compliance with the Privacy Act.
In response to the attack, the council is accelerating a planned work programme to bolster its digital defences. 'We want to reassure the community that additional safeguards have been put in place and system security strengthened,' Ms Miller said. This includes implementing 'further mitigations to protect council information and prevent any further attack of this nature.'
The attack comes at a challenging time for the council, which is also dealing with other pressures, including a funding crisis facing a local parenting service. Incidents like this data breach can place additional strain on council resources and erode public trust, making transparent communication and robust security measures more important than ever.
While the council released details of the breach's origin and impact, it declined a Local Government Official Information and Meetings Act (LGOIMA) request from Local Democracy Reporting for the full, public-excluded report on the incident. The report was submitted to the Audit and Risk Subcommittee, but the council has chosen to keep the detailed findings confidential, likely for security reasons, a common practice to avoid revealing vulnerabilities to other potential attackers.
The ongoing threat of cyber attacks
The Lower Hutt incident is not an isolated one, reflecting a national and global trend. Government agencies and councils are high-value targets for cybercriminals seeking to steal data or disrupt services. Across the Tasman, local governments have faced similar breaches, while in the wider Wellington region, public services are still recovering from recent disruptions, such as extensive flooding that left dozens of homes uninhabitable.
The council's statement acknowledged the evolving threat landscape, noting, 'As criminals use AI to carry out more frequent and sophisticated attacks, they can automate scams, avoid detection, and adapt to security measures. This makes strong monitoring, quick response, and clear reporting essential to protect our systems.'
For the individuals whose data was exposed, the breach carries the risk of identity theft and financial fraud. Experts advise anyone who suspects their information has been compromised to monitor their bank accounts and credit reports for any unusual activity, be wary of unsolicited emails or calls, and update their passwords for any affected accounts. The council has stated it has provided guidance and support to those directly impacted.
Moving forward, the Hutt City Council has committed to learning from the incident. 'It's a reminder to us of the need to handle data with sufficient care,' Ms Miller said, as the organisation works to rebuild trust and fortify its defences against future attacks.
