AI-Powered Cyberattacks Surge in New Zealand, Disrupting Businesses at Unprecedented Rates
New Zealand businesses are facing a sharp rise in AI-driven cyber threats, with 80% of phishing emails now containing undetectable AI-generated content, according to Kordia’s 10th annual New Zealand Business Cyber Security Report. Over the past 12 months, 44% of large businesses experienced successful attacks, while 61% suffered severe disruptions including extortion in one in five cases.
Emerging Threats and Vulnerabilities
Cybercriminals are increasingly exploiting voice and video-based attacks, leveraging biometric data like facial recognition and voiceprints credentials that cannot be changed once compromised. Patrick Sharp, general manager of Kordia-owned Aura Information Security, warned that these methods prey on emotional manipulation, with AI-assisted phishing campaigns achieving a 54% click-through rate far higher than the 12% for traditional phishing.
Global trends underscore the escalation: McKinsey reports a 1,200% increase in phishing attacks from 2022 to 2025, with organizations targeted every 39 seconds, resulting in daily economic losses of $18 million.
Business Concerns and Response Gaps
New Zealand’s business leaders ranked AI misuse among their top three cybersecurity priorities, with 24% expressing concern over its improper use. Smaller firms (50–99 employees) fear phishing and ransomware, while mid-sized companies (100–200 employees) worry about malicious insiders. Larger enterprises (201–500 employees) prioritize DDoS attacks, and those with over 500 employees view AI-generated threats as the biggest risk.
Despite the risks, 50% of leaders admitted they would pay a ransom, and 8% did so in the past year. Yet, 25% of businesses remain unprepared, lacking data security measures, employee training, or incident response plans. A third of attacked businesses took two months to recover, while another third doubted their ability to survive a major breach.
Regulatory and Insurance Challenges
The report highlights New Zealand’s comparatively lenient penalties for privacy breaches capped at NZ$10,000 compared to Australia’s A$50 million fines. Calls are growing for stricter regulations, mandatory reporting, and government-backed cybersecurity education to align with global standards.
Cyber insurance remains costly, with 17% of businesses filing claims in the past year. However, experts emphasize that insurance should not replace risk mitigation, as many firms absorb losses from data breaches, supply chain disruptions, and extortion.
The global cybersecurity skills gap further complicates defenses, with only 14% of organizations employing adequate talent a deficit that has grown 8% since 2024.
Kordia cybersecurity rating report: https://www.rankiteo.com/company/kordia
"id": "KOR1773095170",
"linkid": "kordia",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'New Zealand',
'size': ['50-99 employees',
'100-200 employees',
'201-500 employees',
'500+ employees'],
'type': 'businesses'}],
'attack_vector': ['AI-generated phishing emails',
'voice and video-based attacks',
'biometric data exploitation'],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (biometric data)',
'type_of_data_compromised': ['biometric data',
'personally identifiable '
'information']},
'description': 'New Zealand businesses are facing a sharp rise in AI-driven '
'cyber threats, with 80% of phishing emails now containing '
'undetectable AI-generated content. Over the past 12 months, '
'44% of large businesses experienced successful attacks, while '
'61% suffered severe disruptions including extortion in one in '
'five cases. Cybercriminals are increasingly exploiting voice '
'and video-based attacks, leveraging biometric data like '
'facial recognition and voiceprints.',
'impact': {'data_compromised': ['biometric data (facial recognition, '
'voiceprints)',
'personally identifiable information'],
'downtime': 'Two months for a third of attacked businesses',
'financial_loss': '$18 million daily global economic losses',
'identity_theft_risk': 'High (biometric data compromise)',
'operational_impact': 'Severe disruptions for 61% of businesses'},
'lessons_learned': 'AI-driven threats are escalating, with phishing '
'click-through rates at 54% (vs. 12% for traditional '
'phishing). Businesses lack preparedness, with 25% having '
'no incident response plans and 50% willing to pay '
'ransoms. Cyber insurance is not a substitute for risk '
'mitigation.',
'motivation': ['financial gain', 'data exfiltration', 'extortion'],
'post_incident_analysis': {'corrective_actions': ['Implement stricter '
'regulations',
'Enhance cybersecurity '
'education',
'Develop incident response '
'plans',
'Address skills gap'],
'root_causes': ['AI-generated phishing content',
'Lack of employee training',
'Insufficient incident response '
'plans',
'Global cybersecurity skills gap']},
'ransomware': {'ransom_paid': '8% of businesses paid ransom in the past year'},
'recommendations': ['Stricter regulations and mandatory reporting',
'Government-backed cybersecurity education',
'Enhanced employee training',
'Investment in incident response plans',
'Addressing the cybersecurity skills gap'],
'references': [{'source': 'Kordia’s 10th annual *New Zealand Business Cyber '
'Security Report*'},
{'source': 'McKinsey report on phishing attacks'}],
'regulatory_compliance': {'fines_imposed': 'NZ$10,000 cap for privacy '
'breaches (lenient compared to '
"Australia's A$50 million)",
'regulatory_notifications': 'Calls for mandatory '
'reporting'},
'response': {'incident_response_plan_activated': '25% of businesses lack '
'incident response plans',
'recovery_measures': 'A third of businesses took two months to '
'recover'},
'title': 'AI-Powered Cyberattacks Surge in New Zealand',
'type': ['phishing', 'ransomware', 'DDoS', 'extortion'],
'vulnerability_exploited': ['emotional manipulation',
'lack of employee training',
'insufficient incident response plans']}