An independent review of how nursing union NZNO released tens of thousands of nurse and caregiver emails to a scammer found it to be an unintentional mistake by keen to be helpful staff.
New Zealand Nurses Organisation Chief Executive Memo Musa said the report concluded that releasing the email database in response to a phishing email was not the result of any deliberate action by staff to compromise member information.
The release of the emails in late October followed somebody claiming to be chief executive Memo Musa contacting the New Zealand Nurses Organisation – using a fake email address – and requesting email contacts for its members.
The 22 page report found that the phishing email request – originating from Lithuania – arrived with NZNO on Labour Day (October 24) and was "legitimised" by requesting a response also be sent to the chief executive's legitimate work email. A staff member catching up with emails after the Long Weekend forwarded it on to a colleague who thought it was an internal email and actioned it.
The report said the culture of the work area that handled the emails had a very positive culture of supporting NZNO members needs and felt responsible to respond to all emails efficiently and effectively. It provided NZNO with eight recommendations to improve its systems, staff awareness and training about phishing emails.
Musa said the report made clear that phishing emails and other spam would be an ongoing problem and reiterated that being on alert for fake emails was a must in this modern internet environment.