The hacker was then able to log on to several Dempsey Wood accounts and send fraudulent invoices from real Dempsey Wood email addresses. Such cases typically see a real-looking invoice, but with bank payment details changed to an account controlled by cybercriminals.
"We discovered the issue on the morning of July 22 and by early the following week, we had contained the issue by following best practice from Microsoft, including the resetting of all passwords across our organisation," Chiu said in her update.
The CFO told the Herald she was unaware of any customer who had paid a fraudulent invoice.
There was no immediate explanation for why the customer alert was only sent this morning when the breach was discovered on July 22.
Chiu advisers any customers who gave out personal information after receiving a fake invoice should contact their IT team or IT service provider, or ID Care - the Ministry of Justice-backed organisation that advises people who have been hit by identity theft (see links to ID Care and other agencies that can assist here).
If you do pay a fraudulent invoice by mistake, banks say to inform them as soon as possible. In February last year a West Auckland couple who paid a fake invoice for $21,000 after the company renovating their bathroom was hacked - and almost lost the money after the two banks involved initially said they had been too slow to report the incident.
"We want to assure you that we have always taken cyber security very seriously. Unfortunately, cyber incidents such as this are increasingly common and very sophisticated," Chiu said in her customer update.
"A team of forensic IT specialists are following an industry best practice response plan, working quickly to understand how this happened and exactly what personal and other information may be impacted."
The Privacy Commissioner's office had been informed (now a legal requirement for any breach, following a December 2020 update to the Privacy Act).
"Our internal systems quickly identified the issue, and we immediately engaged external cyber security experts to support our rapid response. This work includes ensuring our own system is as secure as possible going forward," Chiu said.
The latest quarterly report by the Government's Computer Emergency Response Team (CertNZ) said Kiwis are losing record amounts of money to cybercriminals, with phishing scams one of the most popular ploys.