New Zealand tourism businesses facing cybersecurity challenges

New Zealand tourism businesses are being warned to secure their social media accounts and IT systems in the wake of a series of cyberattacks.

AJ Hackett Bungy New Zealand is the most high profile operator to reveal that it has been hacked - although there are understood to be others who have not revealed that they have been targetted.

As first reported by New Zealand's Tourism Ticker, AJ Hackett Bungy NZ (pictured below) is understood to have been subjected to an attack earlier this month after hackers gained access to the operator’s systems.

Advising in a statement released to Tourism Ticker that the exact nature of the breach is still being investigated, Bungy NZ Chief Executive, David Mitchell commented that while the cyberattack was “incredibly disruptive, briefly undermining access to Bungy’s technology systems, the company was prepared for this kind of event.

“Our programmes and processes meant our IT team were able to move quickly to shut our system down and minimise the ongoing impact.”

Mitchell said access to email, files and other operating systems were temporarily lost but noted that there was “currently no evidence that the hackers were successful in copying any company information.”

He went on to state "our IT team will continue to investigate how the breach occurred and any changes that need to be made to ensure it does not happen again.

“We did not engage with the hackers and no ransom sum was proposed by them.”

Mitchell added it was a reminder for other businesses to be prepared for a cyberattack, adding “I’d encourage others in the industry to get prepared in case they are targeted. Seek expert advice, review technology systems and ensure a proper plan is in place to minimise the impact.”

New Zealand news website Stuff has reported that Auckland woman Sarah Chant’s personal Facebook account was targeted by hackers, as a result of which she lost access to her business Facebook pages, which she had run for more than 13 years.

She also lost access to her popular New Zealand travel tips page.

Advising that "most of my pages were gone", Chant said hackers appear to be targeting personal Facebook users who also had a linked business account.

The hackers made themselves an administrator on the user’s business page, and used the credit card details associated with the business page to buy Facebook advertising.

Krissy Griggs, Marketing and Partnerships Manager at South Pacific Helicopters and Wings over Whales had her personal Facebook account hacked in December, losing access and had $6000 charged to her company credit card.

Dealing with Facebook’s parent company Meta was, according to Griggs, a “painfully slow process” and the company had not yet acknowledged the hack.

Griggs said the fraud had been reported to the bank, but she had not received any of the money back.

The scam has been around since 2020, and has targeted a number of well-known Australian businesspeople, who have hired lawyers to get their accounts back.

ABC’s The Drum presenter Julia Baird was forced to issue a public appeal to Facebook on Twitter after her account was taken over by hackers, 9 News reported in August 2020.

Sydney-based Dowson Turco Lawyers had represented a number of people who have faced similar hackings.

Partner Nicholas Stewart said innocent users were being hacked and were victims of phishing scams, bots and human trolls who were using Isis imagery as a weapon to cause financial damage.

Stewart advised that the firm had a 100 per cent success in convincing Meta to restore the disabled accounts of clients around the world who had been victim of the Isis Facebook hack

Brett Callow, threat analyst at cyber-security firm Emsisoft, said most hacks happened because of “fairly basic security failings”.

Callow told Stuff "businesses can significantly reduce the likelihood of become a victim if they make sure they get the 101s right.”

It included having a solid password policy, limiting administrative rights and, most importantly, using multifactor authentication everywhere it should be used.

Even large businesses with significant cyber security systems can be caught out by sophisticated attacks.

Air New Zealand fell for a scam in 2019 when two contact centre staff email accounts were phished leading to a breach in Airpoints customer data.