If you or someone else is in immediate danger or a crime is being committed, call 111 now.
Reporting a cyber security incident
We have two online reporting options:
- reporting for individuals and small to medium organisations that helps to triage the issue and provide targeted advice and next steps.
- reporting for IT specialists on behalf of businesses, large organisations and government that have more knowledge of the problem and may want specialist support.
Support for individuals and small to medium businesses
For individuals or small to medium businesses, people can report incidents such as:
- online scams,
- malware,
- unauthorised access,
- data breaches,
- distributed denial of service attacks,
- ransomware, and more.
Depending on the circumstances of the cyber incident or issue, we will:
- acknowledge and triage reports,
- give an indication of what may have happened,
- if required, refer the report to partner agencies, like the New Zealand Police, the Department of Internal Affairs, or banks and telecommunication companies, and
- provide further advice or next steps to help people respond and recover or learn how to protect themselves online.
If you'd like assistance completing the reporting tool, call us on 0800 114 115.
Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.
Just want to let us know?
If you have been sent a scam email or text or received a scam phone call and haven’t clicked or provided information, we would still like to know about it as part of our reporting. You can:
- forward an email to us at phishpond@ncsc.govt.nz, or
- forward a text/SMS message to our partners at the Department of Internal Affairs (DIA) on 7726.
Some reports don’t require a direct response. If this is the case, details of the incident are recorded by us and help us to understand the kinds of cyber attacks and scams that are affecting New Zealanders. This data is analysed and published quarterly.
Service for IT specialists, large organisations and government
For critical infrastructure, large businesses or government agencies, an incident can be any threat to a network or information, even when an attack is unsuccessful or there is no confirmed compromise.
An incident may include:
- reconnaissance and network scanning,
- possible attempts to exploit vulnerabilities,
- accidental data leaks, or
- suspicious events.
We help large organisations respond to, and recover from, high-impact cyber security incidents.
Our response supplements support from commercial providers, and can include:
- on-site assistance,
- digital forensics and technical analysis,
- threat intelligence, including information from our international partners,
- communications advice and guidance, and
- coordinating with New Zealand’s National Security System.
We work with other agencies such as the New Zealand Police to triage incidents. Where an incident has high national impact, the national security system is engaged through New Zealand’s Cyber Security Emergency Response Plan.
New Zealand's Cyber Security Emergency Response Plan – DPMC External Link External Link
How we categorise incidents
We categorise incidents on a one to six scale, according to their potential impact. This scale is based on processes described in the New Zealand Cyber Security Emergency Response Plan.
Minor incidents are categorised as C6, while highly significant incidents are categorised as C2 and national cyber emergencies are categorised C1.
Highly significant incidents (C2 or above) involve substantial time and resources to address. Even significant (C3) or moderate incidents (C4) can still take several weeks to resolve and usually require complex responses across several teams.
For minor (C5) or routine incidents (C6), the NCSC might respond by providing general advice or alerts to customers.
As examples, the denial-of-service attack affecting the New Zealand Stock Exchange in 2020 and the ransomware attack affecting the Waikato District Health Board in 2021 were both categorised C2.
More information about the categorisation of incidents is below.
Incident categorisation scale
- C1 – National Cyber Emergency: An incident causing severe disruption to a core New Zealand service, and/or affecting key sensitive data, undermining the economic or democratic stability of New Zealand.
- C2 – Highly Significant Incident: Known or likely impact affecting key sensitive data or disruption of essential New Zealand services in organisations of national significance or the New Zealand Government.
- C3 – Significant Incident: Known or likely impact on a large commercial enterprise, wider government, or supply chain to core New Zealand services.
- C4 – Moderate Incident: Known or likely impact on a medium-sized enterprise, or lower-level impact on a larger enterprise or wider government or supply chain to core New Zealand services.
- C5 – Routine Incident: Known or likely impact on a small enterprise, lower-level impact on a medium-sized enterprise, or pre-cursor activity against a larger enterprise or wider government or supply chain to core New Zealand services.
- C6 – Minor Incident: Known or likely impact on individual(s) or pre-cursor activity against individual(s) or a small or medium enterprise.
The Traffic Light Protocol
We also use the Traffic Light Protocol (TLP) to determine the sensitivity and handling instructions for incident-related and other information we report on.
We report on New Zealand cyber threats
We regularly identify and publish reports on cyber security threats and incidents.
Recorded incidents may involve small businesses being targeted by financially motivated actors, or they may involve serious, persistent attempts to compromise the information systems of major New Zealand organisations. These include attempts to identify and steal valuable intellectual property.
Some threats come from well-resourced foreign sources. These sources may target significant New Zealand organisations or use New Zealand systems to target overseas entities.