A public relations and lobbying firm given access to sensitive Commerce Commission documents was affected by a ransomware attack.
Wellington lobbying firm Senate had access to secret documents as it worked on communication strategies for commission projects such as competition issues in the grocery, energy and building supplies sectors.
Documents obtained by RNZ under the Official Information Act (OIA) show Senate's IT provider suffered a cyber attack where documents and files were stolen by hackers.
But the commission says no market or commercially sensitive information was affected by the hack.
The cyber attack
The documents show Senate emailed the commission on 6 December 2022, informing it of the hack.
"Our external IT service provider is the victim of a cyber attack," Senate told the commission.
The lobbying firm said "the privacy and confidentiality of all of the information we hold is critically important" and it was attempting to salvage the situation.
"Our external IT provider continues its contact with the attacker. We continue to monitor for any data that may become public and will act quickly to alert the authorities, clients and our team if this is the case."
Senate told the commission that two government agencies had obtained a court injunction against the publication or use of the stolen data.
"We are, of course, aware that this does not stop international publication of the information, should it be made public by the attackers."
A Senate memo to the Commerce Commission, marked confidential and legally privileged, details the information compromised in the cyber attack.
It runs to five pages but is entirely redacted in the documents released to RNZ under the Official Information Act.
The documents obtained by RNZ show the Commerce Commission at one point told Senate the hackers had released stolen data.
The commission's head of communications and engagement emailed Senate in January, with the subject line "ransomware attackers have leaked some data".
But Commerce Commission general manager of governance, strategy and engagement Raj Krishnan told RNZ that "no market or commercially sensitive information was affected" and the hack did not impact on its work.
"The Commerce Commission did not pay any money to the malicious actors behind this event and the information would not have been valuable to entities being investigated by the Commerce Commission."
Krishnan said a High Court injunction prevents anyone from "storing, publishing, sharing, or accessing the files obtained from the ransomware attack" without the written consent of the true owners of the information.
Because the commission "does not consider itself to be one of the true owners of the information" it could not share details about the files without breaching the court order. Publicity about the stolen data could also give the hackers leverage and increase the value of the information.
He said no action was taken against Senate as it had complied with the commission's security procedures and took advice from the Government Communications Security Bureau's National Cyber Security Centre.
Senate founding partner Neil Green told RNZ that his company was not the victim of the attack and the target was Mercury IT, of which Senate was a client.
He would not give details of what was stolen.
"Advice from government security experts and external cyber security advisors stressed that the people behind such incidents monitor media and other digital commentary, and often use that commentary to further their malicious activity."
Green said the incident "did not directly affect SenateSHJ's core information and storage and IT system" and the company followed expert advice.
"Once we were informed of the incident, we immediately sought external specialist advice, notified the relevant authorities and informed relevant people. We maintained a high level of communication throughout the incident and were commended for the standard that we set."
Senate staff at the Commerce Commission
RNZ revealed in November that Senate staff were embedded in the offices of the competition watchdog and were given commission devices and email addresses as they worked on communications strategies for key projects.
Krishnan said these measures helped "ensure the commission maintains the control of information being accessed in their role, can help to ensure the security of the device, and prevent the transfer of confidential information outside of the commission".
The commission paid Senate more than $300,000 between July 2020 and September 2022, despite having 16 of its own communications staff with a salary budget of $1.7 million.
Max Rashbrooke, an academic and author who has written extensively on lobbying and democracy told RNZ it was "wildly inappropriate" for a lobbying firm to work on sensitive government projects given the potential for conflicts of interest.
The commission told RNZ last month it had robust processes for dealing with conflicts of interest.
The new OIA disclosures show that in 2021 Anna Rawlings, then chair of the commission, cautioned staff to only give Senate access to commission division meetings that it needed to go to.
"Anna also noted that she is okay with Senate attending divisions provided it is only for the specific things that we need Senate's help with," a commission communications manager wrote in a 2021 email to colleagues.
"The concern here is that Senate should not be attending divisions as a matter of course because a) it is not a good use of their time & our money and b) it creates an unnecessary risk around confidential and commercially sensitive information."