CyberDigest - March 2026
New Zealand's National Cyber Security Centre contacted 26,000 people about malware infections while the 2025 Cyber Threat Report warns of intensifying risks, pushing non-profits handling sensitive data toward urgent upgrades or severe disruption.
Key takeaways
- •The NCSC's proactive outreach on Lumma Stealer and the stark 2025 threat assessment mark a shift from reactive to aggressive government warnings amid rising incidents like ManageMyHealth.
- •Non-profits face outsized impacts from ransomware and BEC, with recovery costs in the tens of thousands and potential loss of donor trust in a sector already stretched thin on resources.
- •The Privacy Amendment Act 2025's new indirect collection notification rule, effective May 2026, adds compliance pressure without dedicated funding, creating tension between operational efficiency and security necessities.
Rising Cyber Pressures on Non-Profits
New Zealand's cybersecurity landscape has tightened markedly in the past year. The National Cyber Security Centre's Cyber Threat Report 2025 details a deteriorating environment for organisations of all sizes, with state-aligned actors, cybercriminals, and hacktivists exploiting weaknesses. The NCSC's unprecedented direct warnings to 26,000 citizens about device compromises by Lumma Stealer malware signal that threats have reached a scale demanding public intervention.
Non-profits sit in a vulnerable position. They manage donor details, beneficiary records, and volunteer information—prime material for identity theft or extortion—yet typically operate with minimal cybersecurity budgets and staff. Recent high-profile incidents, including the ManageMyHealth breach exposing health data, illustrate how even well-intentioned organisations can suffer significant fallout when protections fail.
Financial and operational consequences hit hard. Ransomware payments and system restoration can drain limited reserves, while downtime halts services and erodes public confidence essential for fundraising. Business email compromise attacks, now targeting even tax-related communications, further amplify risks.
The Privacy Amendment Act 2025, enacted in September 2025, introduces Information Privacy Principle 3A, requiring notification when personal information is collected indirectly. This change, enforceable from May 1, 2026, aligns New Zealand closer to global norms but demands process overhauls that resource-poor non-profits may struggle to implement without external support.
A core trade-off emerges: digital tools enable greater reach and efficiency for non-profits, yet introduce new vectors for attack. Free or discounted software from providers like TechSoup expands access but requires vigilant configuration to avoid becoming liabilities. Meanwhile, while public agencies must meet new minimum standards, non-profits rely on voluntary adoption—yet face spillover effects through collaborations and supply chains.
Regional APAC dynamics add complexity, with AI-driven scams and evolving ransomware tactics crossing borders quickly.
Sources
- https://learning.techsoup.net.nz/course/view.php?id=404
- https://www.ncsc.govt.nz/insights-and-research/cyber-threat-reports/cyber-threat-report-2025
- https://industrialcyber.co/regulation-standards-and-compliance/nz-ncsc-mandates-minimum-cybersecurity-baseline-for-public-sector-agencies-sets-october-deadline
- https://iapp.org/news/a/nz-privacy-amendment-act-broadens-privacy-notification-obligation-to-meet-global-practice
- https://www.privacy.org.nz/tuhono-connect/statements-media-releases/privacy-amendment-act-passes/
- https://www.linkedin.com/posts/defsec-media-limited_national-cyber-security-summit-2026-activity-7419918811618770944--SKo