From the New Zealand Privacy Commissioner's site ...
If you’re one of the thousands of New Zealand Nurses Organisation (NZNO) members whose names and email addresses were accidentally disclosed to a criminal third party, you might be wondering what you can do about it. The first thing you need to do is to try and understand what happened and what the risks are to you.
The NZNO yesterday notified our Office - as we would expect - that it had fallen victim to a spear phishing scam. An NZNO staff member received an email purportedly from its chief executive asking for names and contact details of all its members. Unfortunately, these details were sent to that email address before it became clear the request was fraudulent. The information lost consisted of the first names, surnames and the email addresses of all its members.
NZNO advised us that its IT team attempted to retrieve the email but it was too late. It also attempted to contact the email address provider, Yahoo. The organisation reported the incident to Police and has emailed its members to inform them about the breach.
The organisation also notified the Department of Internal Affairs and IDCare, an NGO that provides advice to victims of identity theft. NZNO has confirmed the only information breached was members’ names and email addresses. No financial or other personal information was disclosed.