Red faces as Institute of Directors hacked a second time, credit card fraud possible

Image / 123rf

Hackers appeared to have gained access to at least some of the credit card numbers used by one of the wealthiest groups of Kiwis: professional directors.

The Institute of Directors New Zealand has been hacked for a second time.

It's another embarrassment for an organisation that has in recent years implored its members to get to grips with "The Hacker Mindset", and issued various guides for boards who want to help boost their organisation's cyber defences.

Chief executive Kirsten Patterson told the Herald, "The Institute's corporate website experienced a security breach on March 24, where details of some credit cards used to purchase products and services from us may have been taken, and later used fraudulently."

The Institute alerted members four days later, on March 28, "Once we had the key details we needed," Patterson said.

She added, "On April 8 we also updated a smaller sub-set of those impacted to advise our forensic review had identified that their email or address details may also have been exposed.

There is currently no indication that passwords were compromised, the Institute's head said.

Her organisation was seeking more information from members who might have been affected, and working with the Government's Computer Emergency Response Team (Cert NZ), the Privacy Commissioner and the GCSB's National Cyber Security Centre

In 2019, the institute warned its members to change their passwords after its site was breached and defaced.

At the time, Patterson, told the Herald that the incident simply proved her point that online threats are very real.

This afternoon, the chief executive said of the latest attack:

"The Institute of Directors takes data security and privacy matters extremely seriously, and we sincerely regret that this breach has occurred.

"We took action immediately to remove our online credit card payment option and extensive forensic testing was initiated, working with our external cyber security, technology and banking partners."

"We do not store credit card information on our site or elsewhere. This was a deliberate attack whereby hackers were able to insert code capable of capturing information when a user was inputting their credit card details to be processed by our global third-party payment processor."
.
How could another attack happen?

"While our server updates and security patches were up to date, unfortunately hackers continue to look for, and exploit, vulnerabilities," Patterson said.

"This issue highlights the constant cyber security threat that organisations are facing globally and why it's important for all boards to be focusing on cyber security. We are doing all we can to identify how this issue occurred and what we need to do to mitigate future risk."

Patterson said the IoD moved to a different platform after the 2019 attack.

Cert NZ recently reported that Kiwis lost a record amount to cyber attacks in the December quarter