What happened
Langley Twigg, a Napier law firm, was hit by a cyber attack on 11 January 2026 when a malicious third party deployed malware on its network and extracted data from a file server [lt-statement]. Reporting indicates roughly 300 GB was taken, and that a threat actor later appeared to offer files — including passport scans — online [nzherald] [cyberdaily].
Data exposed
Reporting and the firm’s statement point to client documents and case files, internal firm operational information, and passport scans [rnz] [cyberdaily]. The number of people affected has not been disclosed and is not estimated here.
Timeline
- 2026-01-11 — Malware deployed; data extracted from the file server [lt-statement].
- 2026-01 — Firm disclosed, notified the NZ Privacy Commissioner and Police; reported to have obtained an injunction [rnz] [nzherald].
Why it matters
Small and mid-sized professional-services firms hold highly sensitive client data — identity documents, legal case files — and are squarely in scope for ransomware and data-theft crews.