The Biggest Data Breaches of 2024: What They Mean for NZ Businesses
2024 produced some of the largest data breaches in history. Over 1.1 billion records were exposed across five major incidents alone, and the global average cost of a breach hit $4.88 million. These were not attacks on careless startups. They hit healthcare providers, telecommunications giants, and enterprise technology companies with dedicated security teams and substantial budgets. The lesson for NZ business owners is not that breaches happen to someone else. It is that the same vulnerabilities exploited in these attacks exist in your environment right now, and most of them are preventable with controls your business should already have in place.
1. National Public Data: 2.9 Billion Records Exposed
National Public Data, a US background-checking and data-brokering company, suffered a breach that exposed approximately 2.9 billion personal records including names, addresses, and Social Security numbers. The company filed for bankruptcy within months, unable to withstand the class-action lawsuits and regulatory penalties that followed.
What failed: Poor data handling practices and inadequate access controls on a massive data repository. The company had no credible incident response plan and took months to disclose the breach.
NZ takeaway: Under the Privacy Act 2025, NZ businesses must notify the Office of the Privacy Commissioner and affected individuals of any breach likely to cause serious harm. If you cannot answer the question “what personal data do we hold, where is it stored, and who has access?” you are operating blind. A security assessment will map this for you.
2. Change Healthcare: 131 Million Patient Records Compromised
The BlackCat ransomware group breached Change Healthcare, a company that processes roughly one-third of all US patient medical transactions. The attack compromised the records of 131 million patients and forced the company to pay a $22 million ransom. Healthcare providers across the US were unable to process claims for weeks.
What failed: A single server without multi-factor authentication. That was the entry point. One server, one missing control, $22 million in ransom and months of operational disruption.
NZ takeaway: MFA is not optional. It is a baseline control that blocks over 99% of automated credential attacks. If your IT provider has not enforced MFA across every account in your environment, including admin accounts, VPNs, and cloud platforms, that is a gap that needs closing this week, not next quarter.
3. Ticketmaster/Snowflake: 560 Million Customer Records Stolen
The ShinyHunters hacking group breached Ticketmaster by compromising credentials for Snowflake, the cloud data platform Ticketmaster used for storage. The attack exposed the personal and financial data of over 560 million customers. Over 160 other Snowflake customers were targeted using the same technique.
What failed: Compromised credentials on a third-party cloud platform, combined with no MFA enforcement on those accounts. This was a supply chain attack where the weakest link was not the target company but a vendor’s access controls.
NZ takeaway: Your security is only as strong as your vendors’ security. If you use cloud platforms like Microsoft 365, accounting software, or any SaaS tool that holds client data, you need to verify that MFA is enforced on every account and that your provider is managing endpoint detection across the devices accessing those platforms.
4. AT&T: 110 Million Customer Records Exposed
AT&T suffered two separate breaches in 2024. The larger incident exposed 110 million records including phone numbers, call metadata, and approximate location data for both customers and non-customers who had interacted with AT&T numbers. The company paid a $370,000 ransom to delete the stolen data.
What failed: Insufficient monitoring and inadequate access controls on systems holding vast amounts of sensitive customer data.
NZ takeaway: Continuous monitoring is not a luxury. It is how you detect unusual access patterns before they become full-scale exfiltration. A SOC-as-a-Service model gives NZ businesses 24/7 threat detection without the cost of building an in-house security operations team.
5. Dell: 49 Million Customer Records Breached
An attacker used credential stuffing to access Dell’s customer sales portal, stealing 49 million records covering transactions between 2017 and 2024. The stolen data included customer names, home addresses, and order details. The dataset was put up for sale on a cybercriminal forum.
What failed: Weak authentication on a customer-facing portal with no rate limiting or anomaly detection to flag the credential stuffing attack in progress.
NZ takeaway: Credential stuffing succeeds when passwords are reused across services. Enforcing unique, complex passwords through an enterprise password manager and combining it with MFA eliminates this attack vector entirely. Security awareness training ensures staff understand why password reuse is a business risk, not just a personal inconvenience.
The Pattern Behind Every Breach
Five breaches, five different companies, five different industries. But the root causes repeat:
| Root Cause | Breaches Where It Was a Factor | Control That Prevents It |
|---|---|---|
| Missing multi-factor authentication | Change Healthcare, Snowflake/Ticketmaster, Dell | MFA enforced across all accounts |
| Poor access controls | National Public Data, AT&T, Dell | Least-privilege access, regular entitlement reviews |
| No continuous monitoring | AT&T, National Public Data | 24/7 SOC monitoring with anomaly detection |
| Third-party/vendor risk | Snowflake/Ticketmaster | Vendor security assessments, MFA on all integrations |
| No tested incident response plan | National Public Data, Change Healthcare | Documented and rehearsed response procedures |
None of these are exotic, expensive controls. They are foundational. Frameworks like SMB1001 and ISO 27001 exist specifically to ensure businesses implement them systematically rather than ad hoc.
What NZ Businesses Should Do Now
If you have read this far and recognised gaps in your own setup, here is where to start:
- Audit your MFA coverage. Check every account: email, cloud platforms, VPN, admin consoles, line-of-business applications. If any are protected by password alone, fix them immediately.
- Run a cybersecurity assessment to map your current posture against a recognised framework. You cannot fix what you have not measured.
- Ensure your backups are tested. Not just running, but tested. Can you restore to a known-good state within your recovery time objective? If you do not know your RTO, that is the first conversation to have.
- Verify your compliance posture. The Privacy Act 2025 requires breach notification. Do you have a documented process for assessing harm, notifying the Commissioner, and communicating with affected individuals?
- Invest in your people. 68% of breaches in 2024 involved human error. Ongoing security awareness training with simulated phishing is not a nice-to-have. It is the single highest-ROI cybersecurity investment most SMBs can make.
Frequently Asked Questions
Are NZ businesses required to report data breaches?
Yes. Under the Privacy Act 2025, any organisation that experiences a privacy breach likely to cause serious harm must notify the Office of the Privacy Commissioner and affected individuals as soon as practicable. Failure to report can result in compliance notices, fines up to $10,000, and proceedings before the Human Rights Review Tribunal.
What does a data breach typically cost a small business in New Zealand?
Globally, the average cost of a data breach reached $4.88 million in 2024. For NZ SMBs, direct costs including forensic investigation, legal fees, regulatory compliance, notification, and lost revenue typically range from $50,000 to $500,000 depending on the size of the breach and the sensitivity of the data involved.
What is the single most effective control to prevent a data breach?
Multi-factor authentication. Multiple major breaches in 2024, including Change Healthcare (131 million patients affected), were caused by the absence of MFA on a single system. MFA blocks over 99% of automated credential attacks and is a baseline requirement under frameworks like SMB1001 and ISO 27001.
How often should a business run a cybersecurity assessment?
At minimum annually, with additional assessments after significant infrastructure changes, staff turnover, or security incidents. Businesses handling sensitive client data or operating in regulated sectors should conduct quarterly vulnerability scans and annual penetration tests.
What cybersecurity framework is best for NZ SMBs?
SMB1001 is purpose-built for small and medium businesses, offering tiered certification from Bronze through Diamond that scales with organisational maturity. ISO 27001 is the right choice when contractual or regulatory obligations specifically require it, but demands significantly more time and resource investment.
Do Not Wait for Your Own Breach Story
Every business listed above had security budgets, dedicated teams, and enterprise tooling. They still got breached because basic controls were missing or poorly implemented. The same gaps exist in thousands of NZ businesses right now. The difference between being protected and being exposed is not budget. It is discipline.
Book a free discovery call and find out exactly where your business stands, what gaps exist, and what it takes to close them before someone else finds them first.
