27 September 2024
Ref: OIA-24-040
John Luke
By Email: [FYI request #28251 email]
Tēnā koe John
Official Information Act 1982 request for CrowdStrike Falcon information
Thank you for your email of 30 August 2024 requesting, under the Official Information Act 1982 (the Act), the
fol owing information:
I am writing to request information regarding the use of CrowdStrike software at Callaghan Innovation.
Specifically, I would appreciate clarification on the following points:
1) Does Cal aghan Innovation utilize CrowdStrike Falcon for cybersecurity?
If so, was a risk analysis conducted in compliance with ISO/IEC 27000 or other recognized methods outlined
in the New Zealand Information Security Manual (NZISM) prior to the procurement of CrowdStrike Falcon?
If available, could you please provide the timestamped document related to this analysis? Additional y, what
is the annual cost of using CrowdStrike for Cal aghan Innovation?
2) Was Callaghan Innovation affected by the 2024 CrowdStrike incident? If yes, how many computers and
staff were impacted? Did any of the affected computers have access to personal information or customer
tax data?
3) Were the CEO and executive leadership team of Callaghan Innovation aware of any risks associated with
CrowdStrike Falcon before the 2024 incident?
4) Have any Māori businesses been refused R&D services from Cal aghan Innovation due to an inability to
guarantee data security as a result of using CrowdStrike?
Please find our responses below the corresponding sections of each part of your request.
1) Does Callaghan Innovation utilize CrowdStrike Falcon for cybersecurity?
Yes.
If so, was a risk analysis conducted in compliance with ISO/IEC 27000 or other recognized methods outlined in
the New Zealand Information Security Manual (NZISM) prior to the procurement of CrowdStrike Falcon?
Yes, a risk analysis was conducted. You can find further information o
n CrowdStrike's certificates on their website
here. If available, could you please provide the timestamped document related to this analysis?
A timestamped document does not exist. Therefore, the specific document you are referring to does not exist or,
despite reasonable efforts to locate it, cannot be found, and we are refusing this part of your request under section
Rukuhia te wāhi ngaro, hei maunga tātai whetū
Explore the unknown, pursue excellence
cal aghaninnovation.govt.nz | Page 1
18(e) of the Act.
Additionally, what is the annual cost of using CrowdStrike for Callaghan Innovation?
This portion of your request is declined under section 18(d) because the information requested for the integration
platform cost which includes CrowdStrike’s services is publicly available on th
e Government Electronic Tender
System (GETS).
2) Was Callaghan Innovation affected by the 2024 CrowdStrike incident? If yes, how many computers and staff
were impacted? Did any of the affected computers have access to personal information or customer tax data?
Yes, Callaghan Innovation was affected. Approximately 200 laptops were affected. The incident/outage occurred
on a Friday evening and by Saturday afternoon Callaghan Innovation’s most critical servers were back online, and
due to this timing, the impact to staff was minimal. No information or material was lost, modified and/or
misappropriately accessed and this includes personal information or customer tax data.
3) Were the CEO and executive leadership team of Callaghan Innovation aware of any risks associated with
CrowdStrike Falcon before the 2024 incident?
Yes, the CEO and executive leadership team were aware of the risks prior to the outage.
4) Have any Māori businesses been refused R&D services from Callaghan Innovation due to an inability to
guarantee data security as a result of using CrowdStrike?
No.
You have the right to seek an investigation and review by the Ombudsman of this decision. Information about how
to make a complaint is available a
t www.ombudsman.parliament.nz or freephone 0800 802 602.
Nāku noa, nā
Jen Cherrington
Chief Innovation Enablement Officer
Callaghan Innovation
Rukuhia te wāhi ngaro, hei maunga tātai whetū
Explore the unknown, pursue excellence
cal aghaninnovation.govt.nz | Page 2