The Toolshed - Notification of data breach

The Toolshed - Notification of data breach

Earlier in the year, the Toolshed suffered a cybersecurity incident which may have resulted in unauthorised access to some of your personal information.

This notice may only affect you if we had your personal information on file prior to 8 April 2025. If you have received a direct notification of this event, you do not need to read this notice.

What happened?

On 8 April, we became aware that an unknown person had exfiltrated data from our systems. Upon becoming aware of the incident, we immediately took action to secure our systems and commenced an investigation into the cause and scope of the incident. While the incident was dealt with promptly, because of the volume and nature of the data it has taken a long time to identify any affected individuals and the specific information relating to them.

At this stage, it appears that the intruder had access to a file server, a small percentage of which contained personal information of The Toolshed employees, ex-employees, and clients. The intruder may have exfiltrated some data from this file server. However, there is currently no evidence that any data has been published or misused. As a precautionary measure, we have provided general advice and information below to help protect you in case this notice may apply.

What has The Toolshed done in response to the incident?

We have secured our systems and investigated the cause and scope of the incident. We engaged a third-party specialist to assess the affected data and assist in identifying sensitive personal information.

We also engaged legal counsel to review the affected data and to provide advice on how to mitigate any potential harm to affected individuals. Due to the volume of data, this review has taken some time.

We reported the incident to the Office of the Privacy Commissioner (“OPC”) shortly after discovering the breach. We have updated the OPC at each step and will continue to do so to ensure that all of our obligations are met.

What personal information was affected?

From our forensic investigation, we understand that the following types of personal information was contained on the file server and may have been accessed and exfiltrated by the intruder:

name and address;
employment or contractual information;
financial details (not credit card or other payment information);
identity documentation;
medical information.

Not all of this information may be relevant to you, if any, so please see contact details below if you would like to discuss your affected personal information specifically.

Steps you can take to protect against potential data misuse

We want to be clear that there is currently no evidence that any of the data has been misused, and if this changes, we will let you know. Nevertheless, you may consider it important to take steps to prevent a third party from using your information to impersonate you or phish further information from you.

To minimise this risk, we recommend that:

you review your financial accounts for suspicious activity, such as unauthorised transactions and requests to change account details, and notify your financial institution as soon as possible if you notice any such activity;
if you find you are not receiving mail, check with NZ Post that your mail has not been redirected, and secure your letterbox;
if you receive goods or services that you did not order, or notifications about goods or services that you did not order, you should notify the relevant seller or service provider as soon as possible;
you be careful of unsolicited emails, SMS messages or telephone calls which purport to be from The Toolshed or a government authority or business;
you be wary of anyone contacting you who requests personal information or access credentials from you, even if they appear to know some details about you;
for emails, check the sender’s address is the authority’s or business’s real email address - fraudsters can fake the sender’s email address and may send emails from look-alike addresses; and
you consider declaring that your passport was involved in a data breach (which you can do without replacing it) by visiting New Zealand Identity and Passports. If you are concerned that your passport details may have been misused, you can also arrange to replace your passport through that website; and
if you are concerned that your driver’s licence details may have been misused, you can arrange to replace your driver’s licence by visiting the New Zealand Transport Agency.

Regarding your medical information

We appreciate that medical information may be sensitive in nature. Please note that to date there is no evidence that the intruder has published or misused any of this information. Nevertheless, we sincerely apologise for any distress that this incident may have caused you.

Additional sources of information

You can also get advice and support by contacting IDCARE, New Zealand’s national identity & cyber support service on 0800 121 068. IDCARE has fact sheets about identity fraud and scams on its website. Additional guidance on steps you can take to protect yourself following a data breach can be found at the Office of the Privacy Commissioner's website.

If you have questions

We here at the Toolshed take the security of your personal information very seriously and we sincerely regret any inconvenience or distress that this incident may have caused you.

If you would like to discuss the situation with us further or if you require further guidance on how to protect your personal information, please do not hesitate to contact admin@thetoolshed.co.nz We will do our best to answer any question and resolve any complaint you may have, however if you are unhappy with our response you have the right to complain to the Office of the Privacy Commissioner at https://www.privacy.org.nz/.

The ToolShed

Search

Shopping Cart