Hackers steal photo ID and tax codes from 26,000 Generate KiwiSaver customers

Generate says the hacking occurred between December 29, 2019 and January 27, 2020.

Hackers have stolen photographic identification, tax department numbers, and personal names and addresses of some 26,000 customers of boutique KiwiSaver provider Generate in a Christmas holidays raid that targeted the most sensitive part of its website.

In a statement earlier today, Generate admitted the hack, between December 29 and January 27, had exploited weaknesses in the online application process for becoming a Generate KiwiSaver member. No investors' funds are at risk, although all those affected appear to be at risk of identify theft, which can be used for a variety of purposes from online purchases to organised crime.

READ MORE:
• Seven simple tips to keep hackers at bay
• Hack attack puts health details of one million New Zealanders at risk
• Security: Why your CEO could be your weakest link
• Phil Goff's emails hacked - 15,000 emails over 12 years offered for sale

The application process, which remained live on the Generate website this evening, seeks not only full name and personal address details, but also Inland Revenue Department tax number identification, the withholding tax rate applying to the applicant and, most sensitive of all, the uploading of copies of photographic identification: either a passport or driver's licence.

Generate is, according to its own claims, the country's 10th largest KiwiSaver provider by customer numbers, and is the 11th largest by funds under managment, with $1.8 billion in members' savings, according to Morningstar's December 2019 KiwiSaver funds research update, published this week. That gives the company a 2.9 percent share of the $63.1 billion market.

Generate itself did not actively disclose the extent of the breach, saying only that "some of its members' personal information has been accessed illegitimately".

It's now confirmed all information uploaded in membership applications, including photo ID, was affected for as many as 26,000 of the 90,000 people who have invested their KiwiSaver funds with Generate since it began operations seven years ago. Some 70,000 are currently active members, according to the Generate website.

"Generate has contacted all of its members individually to confirm whether or not their own personal information is among the data that was inappropriately accessed," said chief executive Henry Tongue in a statement.

The only upside appears to be that no investors' funds are at risk as they are held separately in trust.

The Financial Markets Authority, Privacy Commissioner, police and tax department have all been alerted, although the company says no investors' money is at risk as it is held in separate trust accounts.

"Since Generate told us of the privacy breach we have put extra security measures in place to prevent the hacked information being used," IRD said in a statement. "Inland Revenue has not found any cases where the hacked information has been used to try to access Inland Revenue systems."

Tongue said the company "has taken immediate action to secure the online application system, and is taking further steps to enhance online security."

"Unfortunately, malicious attacks of this nature are becoming more common both in New Zealand and globally. We have engaged external cyber security specialists to advise on our immediate response to this situation, as well as to conduct a broader audit and testing of all of our systems," said Tongue. "We unreservedly apologise to all of our members for this situation."

On its website, Generate advises members that "while a fraudulent application for withdrawal could have been made using illegitimately obtained personal information, there is no evidence this has occurred" and that passwords for accessing personal records have not been compromised, although they should be changed.

All customers from the past seven years have been contacted and are advised they can "safely log in to your account for specific information on what personal data of yours was accessed."

According to Companies Office records, the company has 28 shareholders, among them Westpac New Zealand's general counsel and general manager of regulatory affairs, Mark Weenink, with a 2 percent shareholding.