Master Builders: Cybersecurity incident being investigated

Experts say there has been a rise in the number of attacks on managed service providers - where a systems breach can give hackers access to multiple companies that use the provider. Image / 123RF

Master Builders says a cybersecurity incident was behind a multiday outage to its websites and various member services being offline.

It thinks no member data was breached, but investigations continue.

The industry group’s websites were back online this morning after being inaccessible for the best part of a week.

“Our service provider has experienced a cyber security incident impacting one of the platforms that hosts Master Builders’ websites,” a spokeswoman told the Herald yesterday when the site and services were still offline.

“We are working with our provider to restore our systems. There is an ongoing investigation into the cause of this incident.

“Our IT provider has advised that there is no evidence that our data was breached. This is continuing to be investigated by the appropriate government agencies,” she added.

“The outage has impacted our websites. Members have been unable to download contracts or lodge their Master Build 10-Year Guarantee applications via the website.”

Members could still phone or email to receive the paperwork.

Last week, Auckland-based IT services provider Lantech said it had been hit by a cyber attack on May 29, with a number of its customers impacted.

Fire and Emergency NZ is one of the featured clients on Lantech’s website. A Fenz spokesman would not comment on the attack, but said “all Fire and Emergency systems are operational”.

Master Builders would not name its IT supplier.

Lantech chief executive Ray Noonan told the Herald this morning: “We are unable to comment on individual customers. We have been in direct contact with organisations that have been impacted.”

Noonan said Lantech had been informed and was working with relevant government agencies.

“It is an ongoing investigation, and we are unable to comment further at this stage.”

Master Builders said its members had received regular updates on the incident.

Increasing attacks

The past year has seen an increase in cyberattacks on IT services companies - particularly those that host managed services.

Brett Callow, a threat assessment analyst with NZ-based Emsisoft, said a breach of an IT provider could give an attacker access to many of its customers’ data.

In December, a ransomware attack on Wellington-based Mercury IT saw files hosted for health insurer Accuro, BusinessNZ, the NZ National Nurses Association and the Coroners Court compromised, among other clients.

In October last year, Justice Minister Kiri Allan ruled out making it illegal to pay a ransomware demand, telling the Herald the move - which some have seen as a potential circuit-breaker - would criminalise victims. Last month, Allan reiterated that stance.

Australia’s Budget 2023 had A$46.5 million ($76.34m) earmarked to establish a Coordinator for Cyber Security to oversee multi-agency efforts in the event of a cyber incident.

The Australian Budget also saw the e-Safety Commissioner’s annual funding quadruple with a A$131m injection. The equivalent agency here, Netsafe, has a budget of around $4m.

There was A$86.5m to establish a new National Anti-Scam Centre, which will include establishing Australia’s first SMS Sender ID Registry to help prevent scammers from imitating trusted brand names.

Those moves were not matched on this side of the Tasman with our Budget 2023.

Meanwhile, InternetNZ - the administrator for the .nz domain - has denied that recent staff changes contributed to an incident earlier this week that took multiple websites and apps offline.

A routine annual upgrade of security keys went haywire, for reasons InternetNZ is still trying to establish.