ChannelLife New Zealand - Industry insider news for technology resellers
New Zealand
Cyber criminals are not breaking in - they're logging in

Cyber criminals are not breaking in - they're logging in

Fri, 17th Jul 2026 (Today)
Tom Chan
TOM CHAN Marketing and Content Brightstar

In times past we heard about cyberattacks in the media as far-away, one-off incidents. Now, it seems not a week goes by without our colleagues, peers, or businesses right next door being compromised. Across New Zealand, organisations and individuals are discovering that breaches are now a common reality. 3 incidents amongst many recently are particularly salient:

Uber driver scam: When attackers target people, not systems

In June 2026, a Wellington Uber driver lost more than $700 after falling victim to an impersonation scam. The attacker posed as Uber support, claimed to be investigating a complaint, and several hours later convinced him to provide a one-time verification code on his phone to close the case after "investigation". Using that code, the scammer gained access to the account, changed the linked bank details and withdrew the driver's earnings using Uber's instant cash-out option.

Canvas data breach: When trusted platforms become the weak link

In May 2026, several New Zealand universities and tertiary institutions were caught up in a global cyber incident involving Canvas, a widely used learning management system. Attackers exploited a vulnerability within the support ticket system in Canvas's "Free for Teacher" environment to access the broader cloud-hosted database, affecting thousands of education institutions and exposing the risks organisations face when relying on third-party technology platforms.

Institutions including the University of Auckland and AUT were notified that data held within Canvas may have been accessed, including user information such as names, email addresses, student IDs and Canvas messages. The NZ National Cyber Security Centre (NCSC) actively engaged with local universities as damages and impacts continue to be assessed.

Manage My Health breach: When sensitive data becomes the target

In late 2025, Manage My Health experienced a cyber incident that exposed the risks of protecting highly sensitive personal information in an increasingly connected healthcare environment. Attackers gained access using compromised credentials to exploit a vulnerability in the platform's Application Programming Interface (API), allowing them to enter the platform as an authorised user rather than breaking through the system's external defences. Once inside, they were able to access and copy documents stored within the My Health Documents module, which contained sensitive health-related information uploaded by users and healthcare providers. After review, it was announced in May 2026 that around 400,000 documents of 99,000 patients were affected.

The lessons are clear: cyber vulnerabilities can come from any direction. Fundamentally, a human element runs across these incidents. The focus must be on understanding vulnerabilities, strengthening controls and most importantly having beforehand capable partners ready to respond. For organisations with hundreds or thousands of employees, preventing every compromise is unrealistic.

The Cyber Security Risk Conference 2026 (part of the CIO Innovation Summit and Awards experience) will bring together cyber leaders, executives and cyber risk professionals to shine a light on how organisations can navigate today's evolving threat landscape - from strengthening prevention to responding when incidents occur. Business leaders can't afford to miss this opportunity to protect their organisation: the risk and consequences are just too great in 2026.

The Cyber Risk Conference 2026 | 4 August 2026 | NZICC, Auckland
Learn more.