What emerging threat does the Kordia 2026 report identify beyond data theft?

The report flags improper AI use by employees as one of the most pressing emerging threats, such as staff feeding sensitive data into external AI tools or using unapproved AI platforms.

Is employee misuse of AI tools usually considered intentional or accidental?

According to the report, improper AI usage by staff is generally not driven by malicious intent but rather by convenience overriding caution.

Why does personal data tend to be exposed in such a high proportion of successful cyber incidents?

Personal information is stored across multiple systems, shared widely, and regularly accessed at many organizational levels, meaning any successful intrusion has a reasonable chance of touching personal data before it is detected.

What types of organizations does the Kordia report survey?

The Kordia report surveys New Zealand businesses across sectors and sizes, making it a regional snapshot of how cyber incidents actually play out in practice.

Kordia 2026 Report: 17% of NZ Cyber Incidents End in Data Theft

A newly released industry report is putting a precise number on a problem most organizations know exists but struggle to measure: personal data theft cyber incidents now account for a significant share of all security events. According to the 2026 Kordia New Zealand Business Cyber Security Report, 17% of cyber incidents, roughly one in six, result in the unauthorized access or theft of personal information. Alongside that figure, the report flags improper AI use by employees as one of the most pressing emerging threats facing organizations today.

Together, these findings paint a picture of a threat environment that is shifting faster than many conventional defenses are built to handle.

What the Kordia 2026 Report Actually Found

The Kordia report surveys New Zealand businesses across sectors and sizes, making it one of the more grounded regional snapshots of how cyber incidents actually play out in practice. The headline number, 17% of incidents ending in personal data exposure, is notable because it captures a specific outcome rather than just attack volume or type.

Many cybersecurity reports focus on how attacks begin: phishing emails, compromised credentials, unpatched software. This report draws attention to where attacks end, and for a significant proportion, that endpoint is someone's personal information leaving the organization's control. That distinction matters for understanding risk in terms that regulators, customers, and boards actually care about.

The report also highlights improper AI usage by staff as an emerging challenge. This refers to employees feeding sensitive data into external AI tools, using unapproved AI platforms, or sharing confidential information while trying to automate their work. It is not malicious intent in most cases. It is convenience overriding caution.

Why One in Six Incidents Ends in a Data Breach

The 17% figure reflects a few structural realities about how modern organizations handle data. Personal information tends to be stored across multiple systems, shared widely within organizations, and accessed regularly by employees at many levels. That distribution means any successful intrusion has a reasonable chance of touching personal data before it is detected and contained.

It also reflects the high value of personal information as a target. Attackers who gain access to a network are often specifically looking for names, contact details, financial records, and identity information. These have direct resale value and can be used in follow-on fraud and social engineering attacks.

The gap between an incident occurring and personal data being confirmed as compromised is also a factor. Detection delays give attackers more time to locate and exfiltrate the most valuable records. Organizations that lack robust logging, segmentation, or monitoring are more likely to discover a breach only after data has already left.

This pattern is not unique to New Zealand. It aligns with what researchers have documented globally: regulated entities and well-resourced organizations still routinely mishandle personal data, as explored in the EU age verification app that was breached within minutes of its launch, where design assumptions about security proved fatally optimistic almost immediately.

The AI Insider Threat VPNs Can't Solve Alone

The AI usage finding deserves particular attention because it represents a category of risk that most existing security tools are not designed to address. When an employee pastes client records into a public AI assistant or uses an unapproved productivity tool to process HR data, no firewall triggers, no VPN flag activates, and no intrusion detection system raises an alarm. The data leaves through a perfectly legitimate channel.

This is the core problem with insider-driven exposure: it often looks identical to normal work. A VPN secures the connection between a device and a corporate network. It does not govern what an employee does with data once they have legitimate access to it. Encryption protects data in transit between trusted endpoints; it does not protect data that an authorized user chooses to send somewhere unauthorized.

Organizations that have invested heavily in perimeter security tools, including VPNs, endpoint protection, and firewalls, can still be exposed if they have not addressed the human and policy layer. The Kordia findings suggest this gap is growing as AI tools become cheaper, more capable, and more embedded in everyday workflows.

The challenge is compounded by how quickly the AI tool landscape changes. A policy written six months ago may not cover platforms that employees are using today.

Building a Privacy Defense That Goes Beyond VPNs

Addressing both the data theft rate and the AI insider threat requires a layered approach that combines technical controls with organizational policy and user education.

On the technical side, data loss prevention (DLP) tools can be configured to detect when sensitive categories of information are being sent to external platforms, including AI services. Network monitoring that logs outbound data transfers can help identify unusual patterns. Access controls that limit which employees can reach which data reduce the blast radius of any single incident.

On the policy side, organizations need clear, current guidance on approved AI tools, what data categories can be processed externally, and what the consequences of policy violations are. Ambiguity is a liability. Employees who are unsure whether a tool is approved will often default to using it anyway, especially if it makes their job easier.

User education remains critical. Most employees who create AI-related data exposure incidents are not acting with malicious intent. They are trying to work efficiently. Training that explains specifically why certain data cannot go into external AI tools, rather than just that it cannot, tends to produce better compliance than generic security reminders.

For individuals, the report is a useful reminder to check what personal data organizations hold about them and how it is protected. Laws like the California Consumer Privacy Act give some consumers formal rights over their data, though CCPA enforcement has significant gaps in practice, and exercising those rights requires active effort.

What This Means For You

The Kordia 2026 report is a New Zealand-focused study, but its findings reflect patterns that are recognizable across industries and geographies. One in six incidents resulting in personal data theft is a significant rate, and the emergence of improper AI use as an insider threat adds a new dimension that many security programs are still catching up to.

For individuals, this is a prompt to think about what personal data you share with businesses, how much of it could be exposed in a breach, and whether you are exercising available rights to minimize that exposure. For organizations, the report is a case for moving security conversations beyond perimeter tools and toward comprehensive data governance.

Technical defenses are necessary but not sufficient. The 17% figure suggests that even after incidents occur, containing the personal data impact requires speed, visibility, and clear policies that most organizations are still working to develop. Reviewing your own data footprint, understanding what rights you have under applicable privacy laws, and staying informed about how breaches actually happen are practical first steps anyone can take today.