Cyber security incidents recorded by the NCSC in the first quarter of 2026 increased slightly compared to the previous quarter and included incidents with higher losses and higher severity.
Three incidents were categorised as C2 (‘highly significant’. C2 category incidents impact key sensitive data or cause disruption to essential New Zealand services in organisations of national significance. The three C2 incidents in Q1 impacted thousands of New Zealanders with sensitive data being accessed.
Between January and March 2026, the NCSC responded to 1,164 incident reports, slightly more than the 1,131 incident reports in the fourth quarter of 2025.
Of these, 77 incidents were triaged for specialist technical support due to their potential national significance. 1,087 reports did not require specialist technical support.
Direct financial loss reported during Q1 was $5.6 million, a 76% increase compared to the previous quarter’s $3.2 million.
Individuals accounted for $5.2 million in direct financial loss, and organisations for approximately $340,000.
The most common incident reported was phishing and credential harvesting, but scams and fraud was the second most reported type with a loss of approximately $3.8 million.
This year has seen several high-profile cyber security incidents occurring in New Zealand, with some involving the loss of customer or patient data. In this quarter's case study, we look at what we can learn about sensitive data protection from these significant incidents.
The second article provides some insight into the upcoming implications of Frontier AI models such as Anthropic’s forthcoming Claude Mythos Preview.
The NCSC endeavours to provide the richest possible view of the data available. Where possible, our statistical categories include all incidents. However, due to the way information is collected and processed, for some categories it is not possible for us to include incidents triaged for specialist technical support.
Data Highlights
77 incidents required specialist technical support in Q1. This is a 14% decrease from the 90 in Q4 2025.
Three of these were categorised as C2 or ‘highly significant’. These are the first C2 incidents recorded by NCSC since the 2021/2022 financial year.
1,087 incidents were reported that did not require specialist technical support in Q1, up 4% from Q4 2025.
Phishing and Credential Harvesting was the most common type this quarter with 437 incidents.
$5.6 million in direct financial loss was reported in Q1 2026, a 76% increase from the previous quarter’s $3.2 million.
Incidents $10,000 and over made up $5.4M (97%) of reported loss despite consisting of only 42 incidents.
If you are interested in more data, read our Data Landscape section. This provides a standardised set of results, graphs, and an analysis of the latest trends.
Data Landscape: a closer look at our numbers
Number of incidents
A total of 1,164 incidents were recorded by the NCSC in Q1.
Breakdown by incident category
Direct financial loss
There were 283 incidents reported to the NCSC during Q1 2025 that reported a direct financial loss, and 273 reports that specified the loss amount.
Direct financial losses totalled $5.6 million in Q1 2026, increasing by 76% compared to last quarter.
Incident severity
Of the total reports received:
- 3 were categorised as C2 – highly significant incidents
- 10 were categorised as C3 - significant incidents
- 15 were categorised as C4 - moderate incidents
- 31 were categorised as C5 - routine incidents
- 985 were categorised as C6 - minor incidents
- Remaining incidents were not categorised.
There were no C1 – national cyber emergencies, this quarter.
The majority of incidents were within the C4 to C6 range, and only a small number of significant (C3) and highly significant (C2) incidents took place during the quarter.
Incidents by suspected actors
Where possible, the NCSC links incidents triaged for specialist support to a known actor or activity grouping. Of the 77 such incidents handled by the NCSC in Q1 2026:
- 17% were assessed to be likely linked to state-sponsored actors,
- 52% were assessed to be likely linked to cybercrime actors, and
- 31% did not have enough evidence to link the activity to a known malicious cyber actor.