A Napier law firm is investigating a cyber security incident after a ransomware group claimed responsibility for an attack and posted what it says are employee and client passport scans, financial records, and legal documents online.
Langley Twigg Law said its monitoring tools detected suspicious activity on its systems on Jan. 11, prompting the firm to take its network offline and begin an internal investigation with external support. “On 11 January 2026, our security monitoring software alerted us to unauthorised activity on our computer network. In response, we engaged our IT support provider to take immediate steps to contain the issue. This included switching off and disconnecting the Langley Twigg network from the internet while investigations took place. Despite being protected by cyber security software, our network had suffered a novel attack. Before our systems were restored using backup copies, these were thoroughly checked and measures taken to further bolster security,” a Langley Twigg spokesperson said, as reported by cyberdaily.
The firm engaged digital forensics and cyber incident response specialists, who confirmed that some information was accessed and copied from its systems. The compromised data includes internal records relating to Langley Twigg’s operations and some client documents stored on its file server. “We are currently working with digital forensics and cyber incident response specialists to identify what information was copied from the file server. Once this is done, we will contact affected clients and discuss steps they may wish to take as a consequence. We are working intensively on this process, but please understand that this may take some time to work through. We will provide further updates as our investigation progresses,” Langley Twigg said. The firm said it has notified the Office of the Privacy Commissioner and New Zealand Police about the incident.
On Jan. 25, the Anubis ransomware group added Langley Twigg to its darknet leak site, describing the firm as a victim and outlining the types of data it claims to have obtained. “The leaked data provides insight into the company itself and its financial position. The dataset includes financial reports, employee compensation records, and related documentation. For the company’s employees, the leaked data includes more than just salary information. The materials also contain passport details and other personal documents,” Anubis said, as reported by cyberdaily.
The group has released what appear to be scans of employee passports and other identity documents, along with passports and personal information it states relate to clients of the firm. The posted material also includes property transaction files, hazard reports, and settlement statements; several documents carry Langley Twigg letterhead. While the firm continues to determine exactly what was taken, the publication of identity documents and financial data on a leak site introduces the risk of identity misuse and fraud for affected individuals. For insurers, such incidents typically involve notification and monitoring costs, regulatory engagement, legal work, and incident response and business interruption components.
Anubis is a relatively new ransomware operation, first observed in February 2025 and described by security researchers as a ransomware-as-a-service group with Russian-speaking links. It has been associated with attacks across multiple sectors globally, including healthcare and professional services. Unlike some groups that post only brief statements or data samples, Anubis commonly publishes detailed descriptions of what it says has been taken, drawing attention to items such as financial records, personal identifiers, and regulatory material. It has also been reported to contact third parties, including journalists, to promote access to stolen information. Its most recent known Australia–New Zealand victim before the Langley Twigg listing was Queensland-based medical clinic Laidley Family Doctors, which appeared on its leak site in December 2025. For cyber underwriters and brokers, Anubis represents a type of ransomware activity that combines data theft, leak threats, reputational pressure, and potential regulatory consequences, rather than relying solely on file encryption.
The Langley Twigg incident has coincided with a reminder from internet safety organisation Netsafe that small and medium-sized enterprises, including law firms, remain exposed to both targeted and opportunistic attacks. Netsafe chief online safety officer Sean Lyons said some incidents are directed at specific organisations, while others result from broader attempts to exploit known weaknesses. “It can happen in two ways. It can absolutely be targeted, somebody could decide that a particular entity is holding information that they want,” Lyons said, as reported by RNZ.
Lyons said many campaigns start when an attacker identifies a method they can use across multiple organisations. “That might be sending out emails with fake invoices or attachments, it might be sending other messages, it might be getting them to click on pages on compromised websites,” he said. Once attackers gain access, Lyons said they look for data that can be monetised. “Once they are in, they will be trying to find out just about everything about that organisation and see what’s of value in there, that they can take to either sell or exploit the original owners of that information to blackmail them into giving them money,” he said.
Lyons added that smaller organisations may find it harder to maintain security measures because they often lack internal cyber security teams. “For smaller businesses, it is being aware that these things can happen, that the data they store is of value to other people. Some people might think what could be the value, why could I be a target, but like I said, people aren’t always initially a target, but the information that is in there could be of value to somebody, and blackmailing organisations might be a good way for a criminal to make money,” he said.
The incident occurred shortly after the New Zealand Law Society distributed cyber security guidance to members, focusing on common threat types and practical controls for firms. Chief executive Katie Rusbatch said the legal sector has seen more cyber incidents. “We've seen this on the rise recently, and we have identified a need for some guidance and training in this particular area, and that’s been a focus for us. So, really in terms of the guidance that we’ve shared, it’s focusing on how these things like cyberattacks can happen, what those common threats to law firms are, whether that’s things like e-mail compromise or phishing and things like that. And then some also some guidance that law firms and lawyers can take to minimise the risk and create an environment for stronger security,” Rusbatch said, as reported by RNZ.
Rusbatch said measures outlined by the Law Society include secure access and authentication such as multi-factor authentication for email and trust account platforms, timely application of security updates, staff training on phishing and safe email practices, testing through simulated exercises, incident response planning, and backup and recovery arrangements, including offline and secure cloud backups. The Office of the Privacy Commissioner has confirmed that Langley Twigg has reported the incident and said it will continue to work with the firm “as they further investigate this incident, including ensuring they are aware of their legal obligations in relation to a privacy breach that either has caused or is likely to cause anyone serious harm.” New Zealand Police have also opened an investigation.
The attack on Langley Twigg follows a major breach at ManageMyHealth, a patient health information portal that links patients with clinicians and provides access to medical records. For New Zealand insurers and intermediaries, the two events highlight ongoing cyber and privacy risk in organisations that hold large volumes of identity, financial, and health data, and point to the potential for accumulation across portfolios.
