Cyber security incident at Langley Twigg

16 February 2026

Updated 16 February 2026


On 11 January 2026, Langley Twigg suffered a third-party cyber-attack on our IT system. The below provides an update, as at 16 February, about what happened and the actions we are taking to protect our clients’ data.


Protecting your information

We want to assure you that we're taking appropriate legal action to protect your information. On 5 February 2026, we obtained an injunction from the High Court preventing all persons from accessing or distributing any stolen data. The security of our client data is of upmost importance, and this injunction provides us with legal remedies if anyone attempts to access this material. We have served the injunction to relevant websites and individuals resulting in changes and deletions in their published web content, as well as providing the injunction orders to a limited number of media outlets at their request.
 
Our focus remains on the thorough forensic investigation currently underway to determine exactly what was accessed, notifying affected clients directly in accordance with Privacy Act requirements, and taking all available steps to protect any impacted client’s information.

We have also implemented a range of additional security measures in response to the incident and will be taking further steps recommended by our team of security experts.

 

What has happened

As previously advised, we identified a third-party cyber-attack on our IT system. Some data was exfiltrated and a sample of that data was posted on a criminal website.

External forensic specialists are continuing their analysis of what data was accessed. We are progressing this as quickly as we reasonably can, while ensuring the work is done accurately and safely.

We are engaging with the Office of the Privacy Commissioner and with the New Zealand Police as their investigation progresses.

We can confirm that our email systems were not impacted as a result of the incident, you can trust emails from us, and it is safe to keep communicating with Langley Twigg.


How we are responding

Our response follows the contain, assess, notify, prevent framework expected by the Office of the Privacy Commissioner (OPC):

  1. Contain
  • We have, in conjunction with our IT provider and cyber incident response specialists, taken a range of steps to ensure the incident is contained and properly remediated. This has included following best practice guidance on responding to attacks of this nature.
  1. Assess
  • Our forensic and IT partners are working methodically to identify the data impacted and isolate information relating to clients and other individuals that may require notification to those individuals.
  1. Notify
  • We have been communicating with the Office of the Privacy Commissioner and are working towards notifying impacted clients. Where the analysis has identified client information as being impacted, individuals have already been notified. The assessment exercise referred to above is ongoing. While we are working with experts in the area to progress this as quickly as possible, the assessment may take some time to complete. We want to avoid premature or incomplete information that could cause confusion and will provide more specific notifications as soon as we can.
  1. Prevent
  • We have implemented additional security measures in light of the attack and are following a roadmap to further improve our security posture. Our system is subject to ongoing monitoring as we progress this work to ensure any further malicious activity is identified and isolated promptly.


What this means for you

If our analysis confirms that information relating to you has been affected, we will contact you directly with more information and recommended steps.

However, while our investigations and analysis are ongoing, we want to ensure you are informed and are alert to any potential suspicious activity. In particular, we reiterate:

·        Please be extra vigilant and keep an especially keen eye on transactions in your bank account and credit cards.

·        Stay alert for correspondence which seems suspicious or out of place, particularly if that correspondence seeks payment of some kind.

·        If you are making a payment to us, we recommend you verify our bank account details over the phone by phoning one of our staff.

·        You can find more details about prominent scams and how to keep yourself safe online on the National Cyber Security Centre’s “Own Your Online” website: Own your online
 

We are sorry that this has happened. We are working hard to identify whose information may have been compromised and ensure that those affected receive appropriate notifications. 
 
Your usual Langley Twigg contact remains available for queries. However, if you have questions or comments in the interim we would be grateful if these could be sent to enquiries@langleytwigg.co.nz so we can provide consistent, accurate and up to date information. 


Please also see our FAQs for clients