eCommerceNews New Zealand - Technology news for digital commerce decision-makers
New Zealand
Email attachment20260310 3627626 ueyz2f
#
Data Protection
#
Ransomware
#
Digital Transformation

'Shadow AI' misuse emerges as key cyber threat in NZ

Tue, 10th Mar 2026
Author image
By Mark Tarre, News Chief

Improper use of artificial intelligence by staff has emerged as a leading cyber security concern for New Zealand businesses, as organisations report more incidents linked to AI-related weaknesses and continued exposure to extortion demands.

New research from Kordia, based on a survey of nearly 250 New Zealand businesses with 50 or more employees, found 24% now rank staff misuse of AI among their top three cyber security challenges, up from 16% a year earlier.

The findings point to a shift in how businesses view internal risk. Employees using unsanctioned tools can create new paths for data exposure. The research calls this "shadow AI", where staff use AI tools without approval or oversight.

Patrick Sharp, general manager of Kordia-owned Aura Information Security, linked the change to adoption of AI systems without enough focus on security governance and working practices.

"Insider threats, whether accidental or malicious, have always been a factor in cyber incidents and data breaches," said Patrick Sharp, General Manager, Aura Information Security, Kordia.

He said unauthorised use of AI tools is increasing, with staff copying confidential information into AI systems without understanding the consequences.

AI-linked attacks

Alongside the internal risk, the research recorded an increase in attacks associated with AI weaknesses. Cyber-attacks exploiting AI vulnerabilities rose to 14% in 2025, from 6% in 2024.

At the same time, fewer businesses reported experiencing cyber-attacks overall. Some 44% of respondents said they had been subjected to a cyber-attack in the past 12 months, down from 59% the previous year.

The decline mirrors a fall in incident volumes recorded by New Zealand's National Cyber Security Centre (NCSC). Its Cyber Threat Report 2025 recorded 5,995 incidents in 2024/25, down from 7,122 in 2023/24.

Sharp distinguished between the number of incidents and their financial consequences, citing NCSC figures showing NZD $12.4 million in direct financial loss reported in the third quarter of 2025, up 118% from the previous quarter.

Extortion pressure

Extortion remains a significant feature of the threat landscape. The research found 19% of businesses impacted by a cyber incident faced financial extortion by a cybercriminal, up from 14% in 2024.

Across all surveyed organisations, 8% said they paid a ransom or extortion demand. When a demand was made, 42% of those businesses paid. Separately, 32% of businesses said they would consider paying.

Sharp warned against assuming payment ends the risk, saying businesses cannot rely on criminals to keep their word after receiving money, including when personal data is involved.

Personal information remained a frequent target. The study found 17% of cyber incidents resulted in personal information being accessed or stolen. It also found 21% of businesses were concerned stolen information could be used for blackmail or extortion.

Operational impact

Cyber incidents continued to disrupt business operations. A fifth of businesses hit by a cyber-attack reported disruption, such as being unable to access systems or serve customers.

Elsewhere, nearly two-thirds of businesses that faced cyber incidents said they suffered operational disruption. The research also pointed to supply chain exposure, with 20% reporting supply chain interruption caused by a cyber-attack.

The survey cited recent overseas incidents as examples of operational consequences, including attacks affecting Jaguar Land Rover in the UK, Asahi in Japan, and Marks & Spencer in the UK.

Beyond direct disruption, respondents reported secondary costs, including insurance claims (17%), fines by a regulatory body (11%), and legal action (9%).

Policy debate

The findings also captured business sentiment on government involvement in cyber security. More education programmes on cyber security best practice was the most requested measure, cited by 38% of respondents.

Businesses also backed stricter enforcement around personal data protection. The survey found 36% wanted harsher penalties and fines for businesses that fail to protect personal data, while 27% supported legislation making it illegal to pay ransoms to cybercriminals.

Mandatory reporting rules also attracted support. Some 36% called for mandatory reporting requirements for organisations impacted by major cyber-attacks, similar to measures introduced in Australia.

Sharp said New Zealand's cyber security legislation lags other jurisdictions and pointed to the potential scale of impacts from a major supply chain event.

He urged businesses to prepare well in advance, with a response strategy, clear decision-making roles, and communication plans covering staff, customers, and regulators.

"As challenging as it can be, it's critical that business directors and officers recognise their accountability before they've been breached. There are many passionate and capable cyber security professionals in New Zealand who can guide effective business advice on cyber resilience," Sharp said.

Related stories
Adobe just rewrote the rules of graphic design
Auctor raises USD $20 million for software implementation
iManage appoints Ryan Begin & David Zember to partner roles
8x8 launches AI Studio for customer experience agents
Loftware launches Connect for global supply chains

Top stories

Pacvue launches AI agent for commerce ad media teams
NeuReality taps Amazon & Maersk veteran for AI push
InMarket spotlights six brands for sales-driven campaigns
Adobe unveils Firefly AI assistant to streamline creative workflows
Adobe launches Firefly AI Assistant for creative apps