KiwiSaver provider Generate has bowed to member pressure and will now reimburse members who have to fork out for replacement driver's licences and passports following a near month-long hack of the company's website.
But it says this remediation, which could run as high as $2 million, is not an admission of liability.
Generate admitted last Wednesday it had been subject to a hack between December 29 and January 27 in which photographic identification, tax department numbers, and personal names and addresses of customers were stolen.
• Canny View: Key changes to KiwiSaver start kicking in from April
• Record $109 million taken out of KiwiSaver retirement savings
• AMP KiwiSaver funds' long term under-performance across the board
• Battle heats up to become the cheapest KiwiSaver provider
Some 26,000 members were affected, with around 10,000 members of those having their passport or driver's licence details stolen.
Generate currently has around 70,000 members and is, according to its own claims, the country's 10th largest KiwiSaver provider by customer numbers.
It is the 11th largest by funds under management, with $1.8 billion in members' savings, according to Morningstar's December 2019 KiwiSaver funds research update published last week. That gives the company a 2.9 per cent share of the $63.1 billion market.
No investors' funds are at risk, but those affected could now be subject to identify theft, which can be used for a variety of purposes from online purchases, to unsanctioned loan applications and organised crime.
A member of the scheme affected by hack told the Herald on Monday that his requests for the company to refund the $38.20 for a replacement driver's license were declined as were requests for a fee rebate on his KiwiSaver fund.
The 10,000 who had their photo ID stolen had submitted either a driver's licence or passport for identification.
A replacement adult passport costs $191 and a child passport $111, although an urgent adult passport costs $382 if a person needs it to be replaced quickly.
The Herald sent queries to Generate asking why it would not be refunding members for the replacement costs on Monday.
On Tuesday the KiwiSaver provider wrote to affected members saying that while it was under no obligation to do so it had "reviewed the situation and decided we will reimburse members for the cost of replacement photo ID" for those hit by the data breach.
"We understand this has been a difficult time for our members whose personal information was illegitimately accessed in a breach of our online application system recently.
"As well as creating uncertainty and concern, it has created inconvenience and demands on those members' time in terms of taking action to minimise their risks from having personal information compromised.
"In this context, while we are under no obligation to do so, we have reviewed the situation and decided we will reimburse members for the cost of replacement photo ID ..."
It will only reimburse customers for a replacement passport if it was still valid on December 29, 2019, and those affected are also on a short deadline - they will have to apply for their money back by the end of March.
Those who do not apply or miss the deadline will have Generate's annual member fee of $36 waived for a year. Members who had their data hacked but did not lose photo identification will also have the fee waived for a year.
While the reimbursement will make up for the direct costs it won't help members who have had to spend hours having to change passwords, contacting the relevant authorities to report the stolen identity documents and requests to credit agencies for reports of any fraudulent credit applications.
The email sent to affected members also noted that the payments were being made on an ex-gratia basis "without admission of liability".
Generate also reminded members that it had already engaged a cyber security expert to secure its online application system and to undertake a broader audit and testing of all of its systems and an independent identity and cyber security organisation, to provide affected members with specialist advice and assistance.
"We hope that the offers and steps we have outlined in this ongoing breach response from Generate helps to demonstrate to all of our members how valued you all are to us. In this respect, we will also continue to focus on investment performance, building on our track record to date as one of New Zealand's top performing KiwiSaver schemes."
The provider has already come under fire from one cyber security expert who accused it of taking a lax approach to its online security after taking a month to discover the breach.
Generate's boss Henry Tongue last week said in a statement that while it was disappointing its systems took so long, what was important was that it acted quickly once it became aware of the situation.
The Financial Markets Authority, Privacy Commissioner, police and tax department have all been alerted of the breach.
What to do if your identity data has been lost in a breach
• Secure the affected account with a new strong password that you haven't used on any other accounts. The best passwords are long, made up of four or more words.
• If the password on a compromised account was used on other accounts, those passwords should also be changed, and all of the new passwords should be different to • If your identity documents have been lost in a data breach, talk to the issuing agency straight away for help. For passports contact the Department of Internal Affairs; for driver's licences contact the New Zealand Transport Agency.
• If personal information has been breached, like birthdates, consider whether you have been using this information to secure other accounts, for instance as passwords or answers to security questions. If you have, those passwords and security answers should also be changed.
• Get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you'll have to contact all of them. You can ask to have your credit record corrected if there's any suspicious activity on it. The Office of the Privacy Commissioner has information on freezing your credit information.
Source: CERT NZ.