‘Days of most breaches being due to an email whoopsie seem to be long gone’: Michael Webster
In a speech during the National Cyber Security Summit 2026, Privacy Commissioner Michael Webster attributed 61 percent of serious privacy breaches in the latest quarter to intentional or malicious activity, and 36 percent to human error.
During his speech at Takina in Wellington on 17 March 2026, Webster added that: “… the days of most breaches being due to an email whoopsie seem to be long gone.”
According to him, for the reporting year to date, 21 percent were unauthorised access breaches, including through ransomware, while 28 percent were unauthorised sharing or employee browsing.
In his speech, Webster shared his thoughts regarding the role cyber security plays for decision-makers, agencies, and members of the public, as well as the links among cyber security, privacy, and personal information stewardship. He also discussed surveys on and attitudes toward cyber security.
According to Webster, amid the heightened risk environment relating to cyber security, countries such as Australia and Singapore have implemented new cyber security legislation.
He added that jurisdictions have increasingly supplemented new regulatory frameworks with tools and manuals to help businesses comply with the relevant regulations.
“And that is something the New Zealand Office of the Privacy Commissioner is also focused on,” Webster said in his speech.
He noted that the International Telecommunication Union’s 2025 global cybersecurity index placed New Zealand in the third of five tiers and classified it as an “establishing” nation along with countries such as Kiribati and Myanmar.
In his speech, Webster explained that people working in cyber security have centred on the safety and security of all types of information, including personal, financial, commercial, legal, and marketing data.
On the other hand, he stressed that his office focuses on the stewardship of and risks to personal information.
“And when things go wrong – when there’s a serious privacy breach which might see personal information exfiltrated, or deliberately corrupted – we ask questions about what happened and why, and - if it’s needed – we can hold agencies to account,” he said in his speech.
According to Webster, by treating privacy as a key consideration, organisations and businesses can reach their goals, keep New Zealanders safe from harm, and promote a free and democratic society.
In his speech, he described the security of information and IT infrastructure as a necessary element of a strong privacy program. He emphasised that security and privacy staff members should collaborate to locate external and internal risks, keep security a priority, and maintain the appropriate resources.
For agencies dealing with the “increasingly super-charged” landscape of threats, Webster noted that his office expected:
In his speech, Webster explained that the Privacy Act 2020 aims to ensure that New Zealanders know when agencies are collecting their information, that they can access it, and that agencies keep personal information safe and secure, as well as use and share it appropriately.
He noted that 13 privacy principles underlying the Privacy Act govern the collection, storage, use, and sharing of personal information among organisations and businesses. Principle 5 relates to information storage and security.
According to Webster, under this principle, organisations should ensure reasonable safeguards in the circumstances and should prevent the loss, misuse, or disclosure of personal information. He listed the following considerations, among others: physical security, electronic security, operational security, and security during transmission and destruction.
In his speech, he stated that the appropriate steps would depend on the following circumstances, among others:
“And of course, AI is only making the challenge facing the cyber security industry even harder,” Webster said in his speech. “Reports show increasingly that AI agents are supercharging cyber-attacks by industrialising the scale of them.”
He referred to an InternetNZ survey, which found that 59 percent of respondents were very or extremely concerned about AI use to breach privacy. He also cited a Kordia survey, which revealed that:
