Hackers stole photographic ID for some 10,000 of the 26,000 Generate KiwiSaver customers affected by a raid on the most sensitive part of its website over the Christmas/New Year period.
The company clarified today that while 26,000 of the 90,000 Generate accounts opened over the last seven years were subject to private data theft - which included photographic identification, tax department numbers, and personal names and addresses - the total number who had copies of documents used for visual identification stolen was around 10,000.
The hack occurred between December 29 and January 27 and exploited weaknesses in the online application process for becoming a Generate KiwiSaver member. No investors' funds are at risk, although all those affected appear to be at risk of identify theft, which can be used for a variety of purposes from online purchases to organised crime.
The Inland Revenue Department had "put extra security measures in place to prevent the hacked information being used" and said it had "not found any cases where the hacked information has been used to try to access Inland Revenue systems."
"We will continue to proactively monitor all services and assets for any cyber vulnerabilities and risks."
However, the government agencies that issue passports and drivers' licences advised they have no way to check whether affected Generate customers' documents are being misused unless the holder cancels them.
The New Zealand Transport Agency advised that anyone concerned their licence may have been compromised should phone its contact centre on 0800 822 422 to have their current driver licence card cancelled and apply for a new one. Once cancelled, the old licence is flagged in the NZTA system and can't be used for ID purposes.
Advice from the Department of Internal Affairs, which issues passports, is similar.
"If a passport holder is concerned that their passport information is being inappropriately used, they can contact us and well will put a flag on their passport record. This means if a replacement passport is applied for by the identity thief, the customer will be contacted by phone and we will carry out additional checks before issuing a new passport."
The Generate application process seeks not only full name and personal address details, but also Inland Revenue Department tax number identification, the withholding tax rate applying to the applicant and, most sensitive of all, the uploading of copies of photographic identification: either a passport or driver's licence.
Generate is, according to its own claims, the country's 10th largest KiwiSaver provider by customer numbers. It is the 11th largest by funds under management, with $1.8 billion in members' savings, according to Morningstar's December 2019 KiwiSaver funds research update published this week. That gives the company a 2.9 per cent share of the $63.1b market.
Generate itself did not actively disclose the extent of the breach, saying only that "some of its members' personal information has been accessed illegitimately".
Inquiries by BusinessDesk have confirmed that information uploaded in membership applications, including photo ID, was affected for as many as 26,000 of the 90,000 people who have invested their KiwiSaver funds with Generate since it began operations seven years ago. Some 70,000 are currently active members, according to the Generate website.
"Generate has contacted all of its members individually to confirm whether or not their own personal information is among the data that was inappropriately accessed," said chief executive Henry Tongue in a statement.
The only upside appears to be that no investors' funds are at risk as they are held separately in trust.
The Financial Markets Authority, Privacy Commissioner, police and tax department have all been alerted, although the company said no investors' money was at risk because it's held in separate trust accounts.
On its website, Generate advised members that "while a fraudulent application for withdrawal could have been made using illegitimately obtained personal information, there is no evidence this has occurred" and that passwords for accessing personal records have not been compromised, although they should be changed.
All customers from the past seven years have been contacted and are advised they can "safely log in to your account for specific information on what personal data of yours was accessed."