How Exposed Am I NZ? Check Your Digital Footprint with NCSC Tool

Most people believe they’re too careful to fall for an online scam — until they see what’s already out there about them. More than half of New Zealand adults faced an online security threat within a six-month period, according to the National Cyber Security Centre (Digital Watch Observatory).

New Zealanders who faced an online security threat in six months: 54% ·
Percentage who felt vulnerable despite the threat: 42% ·
New Zealand account details exposed to scammers: 4.3 million ·
NCSC tool ‘How Exposed Am I’ users check: Over 1 million checks

Four pieces of data that show the scale of the problem — and the gap between perception and reality.

The implication: despite widespread exposure, fewer than half of Kiwis feel vulnerable — a disconnect that the NCSC tool aims to bridge.

What is the NCSC Lumma stealer warning?

What is Lumma Stealer?

• Lumma Stealer is a malware strain flagged by the NCSC as an active threat to New Zealand users (NCSC Official)
• It targets credentials and sensitive data, often leading to financial fraud

How to protect yourself from malware like Lumma Stealer

• Use long, unique passwords for every account — NCSC recommends at least 12 characters (NCSC Official)
• Enable two-factor authentication on email, banking, and social media to block 99% of automated attacks (Digital Watch Observatory)
• Avoid clicking suspicious links or opening attachments from unknown senders

What actions has the NCSC taken?

• Issued a public warning in October 2025 about the Lumma Stealer malware (NCSC Official)
• Released the ‘How Exposed Am I’ tool during Cyber Smart Week to help Kiwis check if their data has been leaked (Digital Watch Observatory)
• Partnered with Own Your Online to build a national cyber resilience campaign (NCSC Official)

The pattern: the NCSC is shifting from simply issuing warnings to giving Kiwis a practical tool to see their own risk — a far more proactive approach than most countries have adopted.

How do I check if someone is using my identity in NZ?

Using the ‘How Exposed Am I’ tool

1. Visit howexposedami.co.nz, part of the Own Your Online platform (NCSC Official)
2. The tool scans public breach databases — including Have I Been Pwned — and displays what scammers already know about you (Digital Watch Observatory)
3. No personal information is stored or shared; the tool runs a privacy-safe check

Steps to verify identity theft via government resources

• Contact the Department of Internal Affairs if you suspect someone is using your identity (Own Your Online Official)
• Check your credit report for unauthorised accounts — learn how to get your credit report free
• Review your banking and superannuation statements for unusual transactions

Signs that your identity has been compromised

• Unexpected bills or debt collection notices addressed to you
• Accounts you didn’t open appearing on your credit report
• Incorrect information on your tax or benefit records

What this means: even if you haven’t noticed anything suspicious, running a quick check with the NCSC tool takes two minutes — and can save you thousands of dollars, given the average loss of $1,260 per cyber attack victim in NZ (NCSC Official).

What is the breach notification law in New Zealand?

Summary of the Privacy Act 2020

• The Privacy Act 2020 requires organisations to notify the Privacy Commissioner and affected individuals if a breach poses risk of serious harm (Office of the Privacy Commissioner)
• Serious harm includes physical harm, financial fraud, and identity theft (Office of the Privacy Commissioner)

What organisations must do after a data breach

• Assess the breach and determine if serious harm is likely
• Notify affected individuals as soon as practicable
• Have a breach management plan in place and practice it with scenarios (Office of the Privacy Commissioner)

Your rights as an individual

• You have the right to be informed if your data is breached and serious harm may result
• You can complain to the Privacy Commissioner if an organisation fails to meet its obligations
• You can request access to your personal information held by any agency

The trade-off: New Zealand’s notification law gives you the right to know — but only if the organisation takes responsibility. If you suspect a breach went unreported, you can contact the Privacy Commissioner directly.

The implication: Kiwis can no longer rely solely on organisations to inform them; self-checking is essential.

How do you know if you’ve been affected by a data breach?

Signs your data may have been exposed

• Unexpected password reset emails or two-factor authentication prompts
• Strange charges on credit cards or bank accounts
• Friends receiving spam messages from your accounts

Using tools like Have I Been Pwned and NCSC checker

• The NCSC ‘How Exposed Am I’ tool uses the same public breach data as Have I Been Pwned (Digital Watch Observatory)
• Both services check your email or phone number against millions of breach records
• Run a check periodically — especially after you hear about a major breach

What to do if you suspect involvement

• Change the password of the affected account immediately, and use a unique password
• Enable two-factor authentication on that account and all critical accounts
• Report the incident to the NCSC using their incident reporting tool for individuals
• Contact the organisation that suffered the breach for specific guidance

The implication: you don’t need to wait for an official notification. With free tools and a few minutes, you can take the first step yourself.

Is how Exposed Am I legit?

Official source of the tool

• The tool is developed and hosted by the National Cyber Security Centre (NCSC) in partnership with the Own Your Online campaign (NCSC Official)
• It’s a .govt.nz service — the strongest signal of authenticity for New Zealanders

How the tool works and what data it uses

• It queries public breach databases — primarily Have I Been Pwned — to see if your email or phone appears in known leaks (Digital Watch Observatory)
• No new data is collected; the tool only checks what’s already public

Privacy and security of the tool

• The tool does not store the email or phone number you enter
• It does not share your information with third parties
• The NCSC states it runs entirely within a privacy-safe framework (NCSC Official)

Why this matters: a legitimate, government-backed tool that respects your privacy is the most reliable way to check your exposure without creating new risks.

Timeline: key events in New Zealand’s cyber vigilance

• October 2025 — NCSC releases ‘How Exposed Am I’ tool and warns about Lumma Stealer malware (NCSC Official)
• 2020 — Privacy Act 2020 enacted, including mandatory breach notification (Office of the Privacy Commissioner)
• Ongoing — CERT NZ and NCSC continuously monitor cyber threats and issue alerts

The pattern: the timeline shows a country progressively building a framework — from law to tool to warning — that keeps Kiwis one step ahead of scammers.

What’s confirmed — and what’s still unclear

Confirmed facts

• NCSC launched the ‘How Exposed Am I’ tool in October 2025 (NCSC Official)
• Lumma Stealer is an active threat targeting NZ (NCSC Official)
• Breach notification law under Privacy Act 2020 is in effect (Office of the Privacy Commissioner)
• Over 4.3 million NZ account details are exposed (NCSC Official)

What’s still unclear

• Whether Synnovis paid the ransom (unconfirmed)
• Effectiveness of the tool in reducing scam success rates
• Exact number of Lumma Stealer infections in New Zealand
• Whether the total count of leaked NZ accounts is even higher than 4.3 million

The bottom line: New Zealand has a strong legal framework and a practical self-check tool, but individuals must take the initiative.

“Recent research indicates that more than half of New Zealanders faced an online security threat over a six-month period.”

— NCSC spokesperson, official news release

“No one knows you” — Own Your Online campaign tagline

— Own Your Online campaign

For the average Kiwi, the choice is clear: check your exposure today, or risk becoming part of the next 4.3 million. A two‑minute check costs nothing — but ignoring it could cost you $1,260 or more.

Related reading: **VPN kill switch and online privacy tools** · **how to check your credit report for identity theft signs**

Frequently asked questions

For most users, the FAQ answers cover common concerns about using the NCSC tool.