UPDATE: Cyber security incident at Langley Twigg

18 May 2026

Updated 18 May 2026


On 11 January 2026, Langley Twigg suffered a third-party cyber-attack on our IT system. 


Our update of 16 February 2026 provides more detail about what happened and the actions we have taken to protect our clients’ data. This update sets out the steps we have taken to investigate the incident, the outcome of the investigation, and next steps.


Our investigation and response

As described in more detail below, initial investigations into the incident identified that data was exfiltrated from Langley Twigg’s systems and a sample of that data was posted on a criminal website. Some of that information included client information.


In response to the incident, Langley Twigg engaged external forensic and cyber experts to investigate the incident, the steps the threat actor took, and to identify the information impacted.


Our appointed experts have confirmed that the third party copied a portion of Langley Twigg’s data from our file server. While the third party did not access our client management system, the file server contained both internal information relating to Langley Twigg’s operations and some client documents. Unfortunately, a limited sample of that data was uploaded by this third party to a website on the “dark web”, a part of the internet not accessible by standard web browsers. 


Much of the intervening period has been taken up in a complicated and time-consuming process to identify what had actually been copied. Due to the data impacted this has been a complicated exercise.


Our client documents have encrypted names, so to identify the files themselves, we had to match these filenames against the millions of documents in our database. Once that had been done, optical character recognition tools were employed to render the documents searchable. A matrix of search terms was then used to identify documents that contained personal information. This was followed by a manual review to check the accuracy of the computer-based techniques. Then by reference back to our client database, the isolated documents could be linked to clients and other individuals.


As a result, we are in the process of sending direct notifications to those individuals with IDs and other similar documents impacted. We note that the data also contained a range of information relating to clients, including some work product. Unfortunately, it has not proven feasible to notify these clients directly in every case. If you are concerned that your data may have been impacted, please do contact us on the email address shown below.


Next steps and further queries

We can confirm that Langley Twigg has notified the Office of the Privacy Commissioner of the incident. 


Given the information impacted we would urge clients to remain vigilant and report any suspicious activity. Helpful advice for staying safe and avoiding scams or fraud can be found on the National Cyber Security Centre (NCSC)’s “Own Your Online” website: https://www.ownyouronline.govt.nz/


If you would like to contact us regarding this notice, please send an email to enquiries@langleytwigg.co.nz

You also have the right, if you have been impacted, to make a complaint to the Office of the Privacy Commissioner.