Confidential client information has been stolen in a cyber-attack and blackmail attempt by overseas hackers against a software company providing services to car dealers and workshops.

Software company Auxo has gone to the High Court to obtain a restraining order to try to stop anyone using or sharing client information that might be published online.

Auxo software is used in 50 per cent of vehicle workshops nationwide, and at 40 per cent of vehicle dealers, but the company has declined to say how many clients may have been affected.

A demonstration video on the Auxo website shows that its software collects and stores information at the level of individual customers at mechanics’ workshops.

Information supplied to the court cited a “credible threat and significant risk” that the hackers might post some or all of the information taken in the cyber attack on the dark web if a ransom is not paid.

Hamilton car dealership Coombes Johnston European Ltd is named in the High Court judgment as being a potential target of the cyber-attack and its head of business, Richard Johnston, provided an affidavit to the judge.

A Coombes Johnston spokesperson said that its internal information technology system was not compromised in the attack against a “third party”, and it was investigating to what extent information relating to the dealership might have been involved.

Auxo - which is wholly owned by the Motor Trade Association (MTA) - will not say how much the ransom demand was for.

“I’m not able to comment on anything related to the attack, in that respect, unfortunately,” Auxo chief executive David Murdoch told NZME.

Murdoch said he was confident that the attack had been “contained”, but declined to elaborate on what that meant.

He said the company was directly in contact with customers who may have been affected, and would continue to be.

Murdoch said going through the process of dealing with the attack made him realise how widespread cybercrime had become.

Auxo had called in “very capable” legal and cybersecurity experts from around the world to deal with it, he said.

“These [offshore hackers] are highly sophisticated illegal groups, operating at scale.”

Police are investigating the attack and the Office of the Privacy Commissioner has been notified.

The High Court judgment by Justice Timothy Brewer reveals that the cyber-attack happened in or around early February, and resulted in confidential client information being copied and extracted by the hackers.

The case was brought in the name of Australasian Automotive Business Solutions Ltd - the company and former trading name of Auxo before it was rebranded. It was acquired by the MTA in 2021.

“The threat actor is attempting to blackmail the plaintiff (Auxo),” Justice Brewer said.

“It has contacted the plaintiff and threatened to disclose the information copied and extracted ... if its ransom demands are not satisfied.”

Justice Brewer issued an order preventing all “unknown defendants” from using, broadcasting, publishing or sharing the stolen datasets.

Murdoch agreed the effect of an injunction issued in New Zealand against international criminals might be limited, but said it was a “belt and braces” initiative.

“Our goal with that was to make sure we were doing absolutely everything in our power to protect customers.”

Auxo also had Australian customers and the company would consider seeking a similar injunction in the Australian courts if required, Murdoch said.

Coombes Johnston said it had been advised of the cyber-incident involving its third-party service provider.

“As soon as Coombes Johnston BMW became aware of this incident, we engaged external advisers to assist with our response and determine the extent to which information relating to Coombes Johnston BMW may be involved,” it said in a statement.

“This investigation is ongoing, and we will update our stakeholders as more information becomes available.

“We take cyber-security and the protection of our staff and client data very seriously and we would like to reassure our stakeholders that our own internal IT systems were not involved.”

The Auxo breach is the second known cyber attack within a year in which New Zealand drivers’ information may have been compromised.

In March 2023, financial services firm Latitude received a ransom demand after an attack that exposed details of more than a million drivers’ licences.

Asked what advice he would give other businesses facing a cyber-threat, Murdoch recommended the website of the Computer Emergency Response Team (CERT NZ), which provides advice on preventing and dealing with such attacks.

Ric Stevens spent many years working for the former New Zealand Press Association news agency, including as a political reporter at Parliament, before holding senior positions at various daily newspapers. He joined NZME’s Open Justice team in 2022 and is based in Hawke’s Bay. His writing in the crime and justice sphere is informed by four years of front-line experience as a probation officer.