An independent review of a 2016 incident in which tens of thousands of nurse and caregiver emails were released by the NZNO to a scammer found it to be an unintentional mistake by keen-to-be-helpful staff.
NZNO Chief Executive Memo Musa says the report concluded that releasing the email database in response to a phishing email was not the result of any deliberate action by staff to compromise member information.
The release of the emails in late October followed somebody claiming to be chief executive Memo Musa contacting the NZNO – using a fake email address – and requesting email contacts for its members.
The 22-page report found that the phishing email request – originating from Lithuania – arrived at NZNO on Labour Day (24 October) and was 'legitimised' by requesting that a response also be sent to the chief executive's legitimate work email. A staff member catching up with emails after the long weekend forwarded it on to a colleague, who thought it was an internal email and actioned it.
The report said that the work area that handled the emails had a very positive culture of supporting NZNO members' needs and felt obliged to respond to all emails efficiently and effectively. It provided NZNO with eight recommendations to improve its systems, staff awareness and training around phishing emails.
Musa said the report made it clear that phishing emails and other spam would be an ongoing problem and reiterated that being on alert for fake emails was a must in today's online environment.