New Zealand Nurses Caught Out in Major Email Breach

New Zealand Nurses Caught Out in Major Email Breach

Tens of thousands of New Zealand nurses have had personal details accidentally disclosed to a phisher in yet another example of the data breach dangers posed by human error.

Earlier this week a suspected cybercriminal pretending to be the CEO of the New Zealand Nurses Organisation (NZNO) contacted a member of staff requesting the email addresses of all NZNO members.

The member of staff fell for the scam and duly emailed them. The organization has 47,000 members, although remarkably not all have given their email addresses to the body.

Acting CEO Jane MacGeorge has apologized for the incident, and claimed the organization is now investigating to see how it happened and how it can be prevented in the future.

“We are advising our members and staff to be vigilant when considering opening any emails from a Yahoo address and to question whether an email received from an NZNO address looks correct and to not open any links or attachments if in doubt,” she said in a statement.

“We are working closely with the Office of the Privacy Commissioner and ID Care to help support members to keep their email safe and to mitigate this problem. We have met with the cyber departments of NZ Police, Ministry of Health and the Department of Internal Affairs.”

The Department of Internal Affairs has since requested that Yahoo shut the phishing email address in question down.

Ironically, the NZNO even published a follow-up notice on its homepage to reassure members that the original message it sent out notifying them about the incident was not itself a scam.

“We have communicated with the chief executives of district health boards and worked with the general practitioner organisation to get communication out to the health sector about this release of email addresses and are advising them to be on alert,” said MacGeorge.

The incident is yet another example of the dangers of spear phishing and highlights the importance of rigorous training combined with strictly enforced data protection policies.

Source: Information Security Magazine