🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇳🇿 NZ › Technology

Mercury IT

🇳🇿 Wellington · Mercury IT (managed service provider) · Record NZ-2022-0071
○ Reported — awaiting official confirmation
Reported — awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2022-11
Regulator
NZ Privacy Commissioner
Trust tier
B · Reported

Data exposed

Coronial files and post-mortem reports (~14,500 files, Ministry of Justice) Media-reported
Health and insurance records via downstream agencies Media-reported

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In November–December 2022 a ransomware attack on Mercury IT, a Wellington managed-service provider, cascaded to numerous downstream organisations — including the Ministry of Justice (where thousands of coronial files were affected), health agencies and insurers [nzherald-mercury]. The NZ Privacy Commissioner opened an investigation [nzherald-mercury].

Timeline

  • 2022-11 — Ransomware attack on Mercury IT [nzherald-mercury].
  • 2022-12 — Downstream impact confirmed; Privacy Commissioner investigation announced [nzherald-mercury].

Current status

Reported and under investigation; figures reflect reporting at the time. This record will upgrade to Tier A when official findings are published. [nzherald-mercury]

Why it matters

A defining New Zealand supply-chain incident — one MSP breach exposing the data of multiple government agencies at once.