Eftpos provider Smartpay says criminals stole customer data in a ransomware attack.

But the NZX-listed firm says no card data was compromised, and that its payment systems remain fully functional.

Smartpay says it does not collect or hold card information.

It is directly contacting customers who have had other data compromised.

“On Saturday, 10 June 2023, Smartpay discovered that it was experiencing a ransomware cyber incident affecting some systems in New Zealand,” the firm said in a statement to the NZX.

“In response to this incident, Smartpay took immediate steps to contain the incident, engaged cyber security specialists, CyberCX, and are working with the relevant government authorities.

“On Friday, 16 June 2023, our ongoing investigation confirmed that criminals have stolen information pertaining to a group of customers in Australia and New Zealand from our New Zealand systems.

“Understanding the contents and extent of that data theft is now the highest priority of our investigation.”

A Smartpay spokesman told the Herald the firm could not comment on the ransom amount demanded or if any negotiations were taking place. The number of customers affected was still being determined.

He said the affected customers were retailers rather than shoppers.

Not matching Aussie moves

The incident is part of a renewed wave of cyber attacks that has included the March attack on another local eftpos provider, Windcave, and one on the IT supplier to Fire and Emergency NZ.

Last month, Justice Minister Kiri Allan again ruled out making it illegal to pay a ransomware demand - something that some industry plays see as a potential circuit-breaker move. Allan said it would criminalise victims.

NZ’s Budget 2023 did not follow cybersecurity moves in Australia’s Budget 2023, which included A$2 billion ($2.207b) for new digital initiatives, with most tied to e-safety.

They included A$86.5m to establish a new National Anti-Scam Centre, which will include establishing Australia’s first SMS Sender ID Registry to help prevent scammers from imitating trusted brand names.

The Aussies also saw A$46.5m earmarked to establish a Co-ordinator for Cyber Security to co-ordinate multi-agency efforts in the event of a cyber incident.

The office of Australia’s e-Safety Commissioner (its rough equivalent to NZ’s Netsafe) saw its funding quadruple with a A$131m injection. Here, Netsafe has probably already had its lot for 2023 via a recently announced one-off $690,000 increase. Its total funding is around $4.5m.

“Ransomware attacks are disruptive, cause an economic hit, result in individuals’ information being exposed, and can even put lives at risk,” Emsisoft threat analyst Brett Callow told the Herald this afternoon.

Renewed call to make it illegal to pay a ransom

“And, unfortunately, we seem to have made very little headway in tackling the problem.

“When I say ‘we’, I really mean governments worldwide. Ransomware is far too profitable to simply go away, and we need new strategies including, in my opinion, placing more restrictions on the circumstances in which companies are permitted to pay. At the end of the day, attacks happen for one reason and one reason only: money. Reduce the money, and you’ll reduce the volume of attacks.”

Smartpay shares were flat at $1.80 in late trading.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is technology editor and a senior business writer.