Latest news with #OfficeofthePrivacyCommissioner
NZ Herald
05-08-2025
- NZ Herald
Dark web password risk: NZ Govt, healthcare provider, bank staff logins found for sale
Wendt would not name those affected for security reasons, but said he had shared his findings with the healthcare providers and others affected by apparent active account breaches. He had also informed the Office of the Privacy Commissioner and the GCSB's National Cyber Security Centre (NCSC) about his investigation, he said (neither agency immediately returned a request for comment). Hackers gaining access to a healthcare staffer's login didn't necessarily mean security holes in a hospital's network or a successful 'phishing' attack (when a hacker pretends to be a legitimate service). It could be that the staff member used their work email address – and their work password – when they created an account with another site, which was then compromised. Founder of nWebbed, Julian Wendt. The Herald sighted a list of logins and passwords (the latter obscured by Wendt) used by employees of a private company (not in banking or healthcare). Some of the logins were 10 or more years old, and all had been used to set up accounts with third-party sites rather than being active logins for their company's own systems. The company concerned forced its users to constantly change its passwords, with logins also subject to multi-factor authentication in the form of confirmation messages sent to a user's cellphone. However, Wendt said he has seen credentials for sale on the dark web within minutes of an attack and that multi-factor authentication could be circumvented if a hacker had even brief access to a network. 'Most organisations are watching the perimeter, not what's already leaked,' he said. Credentials and documents from previous breaches were often sitting on the dark web without an organisation realising. What does it cost to buy stolen credentials? Wendt says he's found some Kiwis' credentials sloshing around on the dark web for free. He says hackers often display a limited number of users' credentials (including logon names and full passwords) as a free taster for a full stolen list. At other times, they simply display them to brag. And when a username and password is tied to, for example, a specific bank account with a known balance, it can attract a premium price (see list below). However, most of the 198,000 compromised credentials that Wendt found came within bulk lots, available at low cost. He showed the Herald one post where a seller was providing free access to 900,000 credentials as a taster for a collection of 200 million – available for a one-off cost of US$2000 ($3390) or a via a monthly subscription to the seller's 'collection' for US$200 for your first month then US$100 per month. A June 2025 study by multinational credit reporting company Experian found the following prices for individual credentials on the dark web (its US dollar finds are converted to rounded NZ dollars): Hacked Gmail account: $8 Hacked social media account: $33 to $42 Passport: $83 Driver's licence: $250 Crypto account details: $33 to $4410 A separate study by managed network and security provider Crowdstrike said typical dark web prices also included: Stolen bank login, minimum $2000 in account: $60 Stolen credit card details, balance up to $5000: $125 What is the dark web? Wendt borrowed a Star Wars phrase to describe the dark web as a 'reteched hive of scum and villainy'. More specifically, he said it is 'an area of the internet that requires special software to access'. 'It's not indexed by search engines by Google; you have to know where you want to go before you start – some 'surface' websites help with that.' Once you make it to one dark web site, it often grants access to others. Wendt says his earlier career has included working for Hackers Without Borders, a volunteer group that has helped the Red Cross and other non-profits close vulnerabilities in their tech systems. He says he set up the (now six-person) nWebbed in mid-2023 out of 'frustration' that there was no middle ground between basic free services for tracking if your credentials were on the dark web, such has as the New York Times-namechecked HaveIBeenPwned, and corporate services that cost hundreds of thousands of dollars. Wendt says his firm has used AI and machine learning in its analysis and stalking of dark web cyber-crime platforms. He adds, 'I've been in this game for well over a decade, so have access to some of the channels where cybercriminals often share their loot quite freely.' Use a pass phrase, not a password This far into the cyber-security crisis, most people are aware of the usual tips, which include: Using a different password for every service Using a complex password including names and special characters Using multifactor authentication (MFA – a confirmation message sent to a cellphone number or app) when it's an option Never accessing online banking or any other sensitive service over a public Wi-Fi network. Using a password manager – which could be the password manager built into your web browser – to suggest (and remember) a strong password for every site Run constant health checks (for example, in the most popular web browser, Chrome, click the three dots at top right, Passwords, then Password Manager then click the options to see weak passwords and repeated passwords) Wendt says his number one security tip is to use a 'pass phrase' as your password for a site. 'It could be a line you'll be able to remember because it's from one of your favourite songs, books, or movies,' he says. A number of security experts have recommended using a pass phrase in security tips they've supplied to the Herald. For Wendt, it's his absolute number one tip for defeating hackers' automated systems. 'It's length that makes the difference, more than complexity,' he says. In his view, forcing staff or customers to constantly change passwords can have its drawbacks. Some would get fed up and use a guessable password and only make a minor tweak each time, such as changing a number on the end. Chris Keall is an Auckland-based member of the Herald's business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
NZ Herald
25-07-2025
- Business
- NZ Herald
Qantas cyber attack: Kiwis cannot join Aussie legal complaint but can complain in NZ, expert says
Shaw added: 'In New Zealand if people were impacted by the breach by Qantas they would make a complaint to the Office of the Privacy Commissioner.' He said the office would consider the complaint and ask: 'Is this an actionable privacy breach in New Zealand?' Shaw said a privacy breach in this context meant a person had access to or misused personal information without consent. 'Then the question from there is, if it's a privacy breach, what has somebody suffered effectively?' The Office of the Privacy Commissioner would try to resolve that issue and ask if mediation was possible. 'Ultimately the Human Rights Review Tribunal considers it.' The New Zealand process for data breaches has generated some criticism. Consumer NZ chief executive Jon Duffy earlier this month said Qantas would face much stiffer penalties under Australian privacy regulations than it would if it were a New Zealand company. However, Shaw said the system in New Zealand could punish people or entities for data breaches. 'The system in New Zealand is good. The Privacy Commissioner and the act have real teeth. The criticism I would have is the delay, the delay in having the matter heard by the Human Rights Review Tribunal.' He said the tribunal could award substantial damages. Shaw said Lane Neave was not suing Qantas but New Zealand had some litigation funders and some no-win no-fee practitioners who might consider the case. The Office of the Privacy Commissioner has been approached for comment. Qantas said it was aware Maurice Blackburn in Australia had lodged a complaint on behalf of some affected customers in relation to the cyber incident. 'Our focus continues to be on supporting our customers and providing ongoing access to specialist identity protection advice and resources,' a Qantas spokesman said. 'In an effort to further protect our customers, Qantas has obtained an injunction in the New South Wales Supreme Court which prevents the stolen data from being accessed, viewed, released, used, transmitted or published by anyone, including by any third parties.' Maurice Blackburn said the complaint was made to the Australian privacy commissioner, who did not have jurisdiction over New Zealanders' personal information. Some 1.3 million residential or business addresses were among the affected Qantas data, including hotels for misplaced baggage delivery. Four million customer records stolen in the attack contained names, email addresses and Qantas Frequent Flyer numbers. John Weekes is a business journalist mostly covering aviation and courts. He has reported on Catholic Church abuse and the Abuse in Care Royal Commission of Inquiry since 2019 and on Dilworth survivors since 2021.
Scoop
11-06-2025
- Business
- Scoop
Joint Statement On Use Of Facial Recognition Technology (FRT) In Retail Settings
Press Release – Joint Media Statement We are firmly of the opinion that FRT, when used fairly and accurately, can be a valuable intervention to help keep customers and employees safe. The undersigned major New Zealand retailers strongly support the use of fair and accurate technology to protect our workers and customers. We support the option for retailers to use Facial Recognition Technology (FRT) to reduce harm and proactively combat retail crime. Our teams face high rates of verbal and physical abuse from repeat offenders who pose a risk to our employees, customers and other visitors to our stores. They are often responsible for significant violence, stock loss or damage. We are firmly of the opinion that FRT, when used fairly and accurately, can be a valuable intervention to help keep customers and employees safe. It is a powerful and effective tool alongside other crime prevention resources such as security guards, fog cannons, staff training, body cameras, panic alarms, CCTV and other technology solutions. We acknowledge Foodstuffs North Island for their leadership in trialling this new technology, and also the oversight provided by the Office of the Privacy Commissioner in assessing FRT's suitability for use in New Zealand. The trial clearly showed that the technology made a measurable impact in reducing crime, and improving safety in stores. A survey of 1000 New Zealanders found 89% support the use of FRT if it reduces harm by 10%. Keeping our people safe at work and keeping our customers safe is of paramount importance. A significant proportion of retail crime is committed by repeat offenders. It is these recidivist offenders that we are able to target with FRT. FRT offers the opportunity for us to quickly identify individuals of interest as they enter the store. Staff and/or security personnel are then able to respond quickly and decide how to manage each situation. Intervention is not required for every situation but FRT helps our teams to prevent or de-escalate incidents and offences. We recognise that technology must be used in a fair and accurate way. Guardrails are needed to support customers' privacy, and to guard against potential bias and discrimination. We collectively make a commitment to work with Retail NZ to develop best practice to ensure FRT is used only to keep our people safe, and in line with our obligations under the Privacy Act. The use of FRT in the right settings with the right controls will provide positive benefits and outcomes for customers, retailers and workers, while not impeding on the privacy of New Zealanders. The vast majority of customers will be able to go about their business as usual and will in fact be safer in those stores where FRT is used.
Scoop
11-06-2025
- Business
- Scoop
Joint Statement On Use Of Facial Recognition Technology (FRT) In Retail Settings
The undersigned major New Zealand retailers strongly support the use of fair and accurate technology to protect our workers and customers. We support the option for retailers to use Facial Recognition Technology (FRT) to reduce harm and proactively combat retail crime. Our teams face high rates of verbal and physical abuse from repeat offenders who pose a risk to our employees, customers and other visitors to our stores. They are often responsible for significant violence, stock loss or damage. We are firmly of the opinion that FRT, when used fairly and accurately, can be a valuable intervention to help keep customers and employees safe. It is a powerful and effective tool alongside other crime prevention resources such as security guards, fog cannons, staff training, body cameras, panic alarms, CCTV and other technology solutions. We acknowledge Foodstuffs North Island for their leadership in trialling this new technology, and also the oversight provided by the Office of the Privacy Commissioner in assessing FRT's suitability for use in New Zealand. The trial clearly showed that the technology made a measurable impact in reducing crime, and improving safety in stores. A survey of 1000 New Zealanders found 89% support the use of FRT if it reduces harm by 10%. Keeping our people safe at work and keeping our customers safe is of paramount importance. A significant proportion of retail crime is committed by repeat offenders. It is these recidivist offenders that we are able to target with FRT. FRT offers the opportunity for us to quickly identify individuals of interest as they enter the store. Staff and/or security personnel are then able to respond quickly and decide how to manage each situation. Intervention is not required for every situation but FRT helps our teams to prevent or de-escalate incidents and offences. We recognise that technology must be used in a fair and accurate way. Guardrails are needed to support customers' privacy, and to guard against potential bias and discrimination. We collectively make a commitment to work with Retail NZ to develop best practice to ensure FRT is used only to keep our people safe, and in line with our obligations under the Privacy Act. The use of FRT in the right settings with the right controls will provide positive benefits and outcomes for customers, retailers and workers, while not impeding on the privacy of New Zealanders. The vast majority of customers will be able to go about their business as usual and will in fact be safer in those stores where FRT is used.
Scoop
04-06-2025
- Politics
- Scoop
Police Commissioner Welcomes Report From The Office Of The Privacy Commissioner
Press Release – New Zealand Police Facial recognition technology is valuable for deterring, detecting and resolving crime. While there are many benefits to using technology it is crucial to have appropriate guidance in place. Police Commissioner Richard Chambers has welcomed an Office of the Privacy Commissioner report into the trial of facial recognition technology by a major supermarket chain, saying such technology is a valuable tool for fighting crime. 'I welcome the OPC's comments about the potential benefits of facial recognition technology and the finding that, in the case of the Foodstuffs trial, it was effective at reducing incidences of serious repeat offending.' 'The value of technology such as facial recognition is that it is fair and accurate. It has an important role to play in policing. Facial recognition technology is valuable for deterring, detecting and resolving crime. While there are many benefits to using technology it is crucial to have appropriate guidance in place.' 'I welcome the clear guidelines from the OPC on how retailers can use it effectively and the safeguards that are required. It offers useful guidance on whether its use is appropriate, what the privacy risks are and how those can be minimised.' Commissioner Chambers said the use of facial recognition technology as a crime prevention tool was a decision for retailers to make for themselves and their businesses. 'Police is supportive of retailers using tools like this to enhance safety for their staff and communities, as long as it is done lawfully and ethically. I am very enthusiastic about the opportunity to better use technology to help achieve positive outcomes. One of the biggest opportunities we have as a country is to embrace technology when it comes to fighting crime.'
