Experts say the online hack of KiwiSaver provider Generate should serve as a wake up call to other providers and a warning to consumers to check the security measures their provider is taking.
Yesterday Generate revealed online thieves had stolen photographic identification, tax department numbers, and personal names and addresses of some 26,000 customers in a month-long raid between December 29 and January 27.
No investors' funds are at risk, although all those affected appear to be at risk of identity theft, which can be used for a variety of purposes from online purchases to organised crime.
• Cyber security incidents reported to CERT NZ at all-time high
• Some Toll Group systems offline after suspected cyber attack
• 'Arms race against cybersecurity': New Zealand businesses need to take threats seriously: expert
• Toll Group scrambles on day four of suspected cyber-attack
More than three million New Zealanders have over $60 billion tied up in KiwiSaver with around 26 different schemes on offer.
Mark Gorrie, senior director at cyber safety software firm NortonLifeLock New Zealand, said: "It is definitely a wake up call for other providers. A lot of businesses get complacent."
He said Generate could lose members as a result of the breach and potential reputational damage.
Gorrie said often stolen data was not used by the people who stole it but sold on the dark web.
"It is incredibly valuable."
Given the data included passports, drivers licenses and IRD numbers it was even more valuable as it involved more than one data point on an individual.
"That is as good as it gets for someone that wants to buy identity information."
He said in many cases it was organised criminals who bought the information. "Billions are lost through identity theft every year. This is big business."
He said those affected by the hack should change passwords and get credit checks from agencies to ensure someone else did not take out debt in their name.
Gorrie said the victims should also be vigilant for phishing scams as the more personal information a scammer had the easier it was to get someone to fall for a scam.
And it might be a while before any identity theft takes place. "Identity theft can go on for years and years."
Daniel Ayers, a cyber security consultant, said any KiwiSaver members who were concerned about the security of their provider should contact their provider and ask questions.
If they were unhappy they could switch elsewhere.
"That will be the thing that is the biggest stick to get providers to improve their security."
Ayers said people should ask what security measures the provider has in place, where their data is stored and who has access to it.
"Ask for written assurance they have complied with the Privacy Act and give details about where your information is stored and who has access to it."
Those looking at switching should consider the size of the organisation, how long it had been around for. Ayers said banks also tended to have tight security.
Sam Sargeant, chief security officer at Internet NZ, a non-profit internet advocacy group, said identify theft could affect all Kiwis.
"Building secure systems is an ongoing challenge which requires monitoring."
Sargeant said the Generate breach was a "little concerning" because it went unnoticed for a month.
"A month is not the best, but I have seen worse."
He said the rule for anyone handing over high level personal information was to stop and pause to find out more about who they were giving it to.
Sargeant said it was very difficult for the public to know if their data was safe.
"It is difficult. There is no certification or accreditation."
He urged providers to see this as opportunity to work together with the IRD and the Privacy Commission to disclose any potential breaches and work together so they can protect New Zealanders.
A spokesman for the Privacy Commissioner said its office had been notified by Generate Investment Management of the privacy breach.
"The unauthorised disclosure of the company's customer information appears to be the result of a sophisticated and maliciously targeted breach. The personal information disclosed is extensive and sensitive."
"The company has asked for assistance from our office with its breach response. It has briefed our office on the remedial actions it is undertaking, including informing the affected customers and assisting them against identity theft."
The spokesman said measures being employed included putting in place a credit watch, assisting in ID document replacement and providing security products and services to the individuals affected.
"We will continue to assist Generate with its breach response."
The company has also alerted the Inland Revenue and the Financial Markets Authority.
An FMA spokesman said it would be monitoring the breach closely.
The data hack comes just months after the regulator released guidance on cyber resilience in New Zealand's financial services companies in July.
"We said that as part of the FMA's role in promoting fair, efficient and transparent markets, we want to ensure financial service providers and consumers are aware of and prepared for cyber-risks, and that providers have proportionate controls to mitigate risks and ensure cyber resilience.
It is part of licensing requirements that financial service providers have the infrastructure and systems sufficient to provide the service they offer.
Companies must also have board and/or senior management ownership and visibility of their cyber-resilience framework.
The FMA spokesman said it encouraged providers to review their own systems against the recommendations in the report from last year.
What to do if your identity data has been lost in a breach
• Secure the affected account with a new strong password that you haven't used on any other accounts. The best passwords are long, made up of four or more words.
• If the password on a compromised account was used on other accounts, those passwords should also be changed, and all of the new passwords should be different to • If your identity documents have been lost in a data breach, talk to the issuing agency straight away for help. For passports contact the Department of Internal Affairs; for drivers licences contact the New Zealand Transport Agency.
• If personal information has been breached, like birthdates, consider whether you have been using this information to secure other accounts, for instance as passwords or answers to security questions. If you have, those passwords and security answers should also be changed.
• Get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you'll have to contact all of them. You can ask to have your credit record corrected if there's any suspicious activity on it. The Office of the Privacy Commissioner has information on freezing your credit information.
source: CERT NZ.