In March 2026 we saw growing pressure on organisations to strengthen both cyber resilience and accountability, as governments, regulators, and attackers continued to focus on high-impact environments. In New Zealand, proposed critical infrastructure penalties signalled a sharper regulatory approach to serious cybersecurity failures, while globally, major data breaches, platform liability cases, active FortiClient EMS exploitation, and trusted-service phishing campaigns reinforced how quickly cyber risk can move from technical compromise to operational, financial, and legal consequence.
Happenings
[NZ] Breaches May Now Lead to Fines for Critical Infrastructure – Including Directors
The New Zealand Government released their Cyber Security Strategy and Action Plan in March 2026 which sets out New Zealand’s vision and priorities for cybersecurity from 2026 – 2030. Alongside this, the Government has published a new strategy to enhance and uplift the security of New Zealand’s critical infrastructure systems, which includes power generation and distribution, water distribution and waste, telecommunication systems, and transport infrastructure.
The strategy comes at a time when the world is observing increased targeted attacks towards critical infrastructure systems with consequences that reach beyond the digital world – civil unrest, health risks, and reduced trust in government or essential services being highlighted as issues that occur with critical infrastructure disruptions. The US gas pipeline attacks (Colonial Pipeline), Ukrainian power grid shut offs, and US water system attacks in 2021-2023 highlight how impactful cyberattacks against core infrastructure can be.
New Zealand is looking to follow in in the footsteps of other countries such as Australia, Singapore, and the UK who have all moved to regulate cybersecurity for the critical infrastructure sector. The paper proposes implementing large penalties for critical infrastructure organisations that have serious cybersecurity breaches and failings, including a penalty of $5 million or 2% of turnover, and a $500,000 fine for directors – these fines would provide a strong incentive to push compliance with the relevant frameworks.
While a variety of other industries in New Zealand are regulated, such as banking, telecommunications, and healthcare, this is a step in a new direction of cybersecurity regulation for private enterprises. The government is aiming to reduce the number of cyberattacks impacting the public and has taken aim at critical infrastructure first given the major impacts this can have, especially given the heightened economic instability and global conflict. It will be interesting to watch this space to see if the strategy is implemented, and how organisations will react to improve their cybersecurity capabilities.
[US] Hightower Holdings Breach
Hightower Holdings, one of the largest wealth management firms in the United States, has disclosed a data breach that exposed the personal information of approximately 133,000 customers. The firm provides financial management, retirement planning, wealth and investment services, and trust administration, managing around $350 billion USD on behalf of their customers. Hightower filed a data breach notification with the Maine Attorney General’s office on 25 March, confirming the scope of the incident and the steps taken to inform and protect affected individuals.
According to the data breach notification, threat actors compromised Hightower’s environment on two separate occasions in January (9th and 19th) using two different compromised user accounts. The breach was identified on 12 March during routine security checks, with impacted customers notified approximately two weeks later on 26 March. During the breach, the attackers accessed customer records containing sensitive personal information, including full names, Social Security numbers, dates of birth, driver’s licence details, and account-related information. Hightower stated that the breach was caused by compromised accounts rather than a broader deficiency in its environment, though detailed technical information has not been publicly released. Adding to the incident, a former employee has filed a lawsuit in Illinois federal court alleging that the company failed to properly secure and safeguard client information, including claims that customer data was not adequately encrypted or otherwise protected in relation to this breach.
Impacted customers have been offered 12 months of free identity protection services, with no confirmed reports of fraud linked to the breach at this time. The incident highlights the ongoing risks facing financial institutions that hold large volumes of sensitive personal and financial data, and the need to keep response plans up to date, perform regular targeted cyber simulations, and implement appropriate monitoring of systems containing sensitive information.
[US] Meta Fines – Social Media Platform Held Responsible
Recent cases against Meta may signal a shift in how social media companies are being held accountable, especially regarding harm to younger users. In one major ruling, Meta faces a $375 USD million penalty over claims it failed to prevent child exploitation on its platforms, with courts arguing the implemented safeguards were insufficient to protect minors. This is a landmark case against Meta, as it is the first major instance of the social media giant being held liable for harm caused by their platform. It took the jury less than a day of deliberating to find Meta guilty of violating New Mexico’s consumer protection laws in the case brought to court by the state attorney general. The case was built up over a significant period and originally filed in 2023, with state investigators posing as children on social media to document interactions, and Meta’s response.
In a separate case, a 20 year-old woman was awarded $4.2 million USD after successfully arguing that her own experience with social media addiction resulted in mental health harm. The lawsuit claimed Meta’s platforms are deliberately designed to maximise engagement, keeping users hooked despite negative effects. YouTube, who were also named in the case, were ordered to award the plaintiff an additional $1.8 million USD.
Social media platforms have been able to avoid legal responsibility for the use of their platforms for years, which now may no longer be the case. We expect that the major players in the social media space will look to adjust the protections and guard rails for their platforms, to avoid future fines.
[Global] Critical FortiClient EMS Vulnerability Exploited in the WildZ] MediMap Patient Portal Breached
Fortinet has warned that a critical security vulnerability in FortiClient EMS is now being actively exploited in the wild. FortiClient EMS is a central management server used to deploy and manage endpoint security software across an organisation, placing it in a highly sensitive position within the environment. The vulnerability, tracked as CVE-2026-21643, may allow an unauthenticated attacker to send specially crafted web requests to a vulnerable server and execute arbitrary code. Fortinet has confirmed that FortiClient EMS version 7.4.4 is affected, and that upgrading to version 7.4.5 or later remediates the issue.
The primary risk is that an exposed and unpatched management server could enable an attacker to take control of endpoint protection across the organisation. Given the platform’s central role in managing large numbers of devices, this could provide a pathway to broader compromise or disruption. Fortinet has rated the vulnerability as Critical, with a CVSS score of 9.8, and the urgency of patching has increased further as exploitation is no longer theoretical – Fortinet’s PSIRT advisory now confirms that the vulnerability has been observed being exploited in the wild, and security researchers have also already reported real-world attacks.
Additionally, Shodan and Shadowserver scans show that many FortiClient EMS instances are accessible from the internet, increasing the likelihood of widespread exploitation. Organisations using FortiClient EMS are advised prioritise updating to version 7.4.5 or later as soon as possible to mitigate this risk.
Techniques and Updates
Third Party Callback Phishing
Attackers are increasingly abusing legitimate cloud services to deliver phishing, with a recent campaign identified where Microsoft Azure Monitor alerts were being used as a delivery mechanism. By configuring real alerting functionality, threat actors were able to generate emails that appeared to come from a trusted system, warning of suspicious activity or urgent account issues. In the identified campaign, attackers were using a configurable text field in the alerting service that is intended to provide a description of the alert to deliver their call-back phishing lure – the message advised users that they may lose their access if they did not call and resolve an outstanding Microsoft bill. Azure Monitor, (as well as many of these types of systems) have little to no validation in place for sending emails – it is as simple as entering the victims email address into the recipients of the alert, entering your phishing message, and configuring a simple trigger to fire the alert. Microsoft will deliver the crafted phishing email via trusted infrastructure.
This approach plays on familiarity and routine rather than technical deception alone. Users are far more likely to trust and act on something that looks like a standard system notification, particularly if it appears to come from a platform already in use. Organisations need to think beyond traditional phishing controls and focus on how these trusted channels are used. Setting clear expectations around how alerts are delivered, encouraging reporting of unexpected messages, and raising awareness for callback-style attacks will help reduce the impact of this style of attack.
Microsoft Updates
Microsoft’s March updates introduced a series of security enhancements across identity and access management, with a clear emphasis on strengthening authentication and tightening access control. Notably, many of these changes are being applied automatically at the tenant level, rather than as optional or opt-in features, reflecting Microsoft’s continued move toward a secure-by-default posture.
Conditional Access capabilities have been expanded, enabling more granular control over how and when access is granted. These updates reinforce a broader shift toward context-aware access decisions, incorporating signals such as device state, location, and user or session risk. As a result, authentication flows that may previously have bypassed stricter controls are now more consistently evaluated and challenged. While this improves security, it may also lead to an increase in user prompts or authentication friction if policies are not carefully aligned. A key theme of these changes is the growing importance of device-based signals. With deeper integration between Conditional Access and Intune, organisations are increasingly required to leverage Intune-managed endpoints to fully utilise the protections available within the Microsoft security stack. Device compliance, health, and configuration now play a central role in access decisions, effectively making endpoint management a prerequisite for achieving comprehensive and context-aware control.
Microsoft is also continuing its transition toward passwordless authentication, with expanded support for passkeys across Entra ID. Passkey profiles are now being automatically enabled across tenants, including the migration of existing FIDO2 authentication method configurations into the new passkey model, and in some cases enabling support for synced passkeys. Synced passkeys leverage FIDO2 standards but allow credentials to be securely synchronised across a user’s devices via platform ecosystems such as Apple, Google, or Microsoft. Each device stores its own protected copy of the credential, which is unlocked locally using a biometric factor or PIN. This improves usability by removing the need to re-register credentials on each device, while maintaining phishing-resistant authentication.
Alongside these preventative controls, user-driven detection remains critical. As phishing techniques continue to evolve, particularly through the abuse of trusted platforms and system-like messaging enabling users to quickly and confidently report suspicious activity is essential to maintaining an effective security posture.