Customer caught up in KiwiSaver provider hack: 'The concern is you can be impersonated'

The customer said the highly personal nature of the information makes this breach especially concerning.
The customer said the highly personal nature of the information makes this breach especially concerning. Photo credit: Getty.

By Jordan Bond of RNZ

An Auckland man caught up in the hack of sensitive personal information from his KiwiSaver provider fears he could now be the victim of identity fraud, and wants the company to face consequences.

New Zealand-owned company Generate announced yesterday it had its computer systems breached. The personal information of 26,000 of its 90,000 customers has been copied, ranging from names, addresses and birthdays, to IRD numbers, passports and possibly bank statements. This is potentially hundreds of thousands of data points linked to customers' financial and online identities.

"It's pretty devastating," the affected man told RNZ anonymously. "Because there's nothing you can do about it. There's a sense of powerlessness about it, because once it's out there you can't get it back - it can't be unreleased."

Generate put the breach down to a "malicious attack". An unauthorised third party accessed its online application system for almost a month, it said, between late December and late January.

Money invested with the company is safe because it's held in a separate system to the one which was breached. Generate wouldn't elaborate on how the data was taken, and did not return a request for an interview.

The customer said the highly personal nature of the information makes this breach especially concerning.

"It's a lot of information that other organisations use to verify you are who you say you are," he said.

"With that level of information you can convince lots of companies to give you lines of credit, or a credit card. The concern is you can be impersonated quite well with that information, and that's what worries me."

In a statement, Generate said it has contacted the affected customers individually to offer advice on how to "minimise risks associated with inappropriate use of their personal information".

"Unfortunately, malicious attacks of this nature are becoming more common both in New Zealand and globally, and constant vigilance is required.

"We have engaged external cyber security specialists to advise on our immediate response to this situation, as well as to conduct a broader audit and testing of all of our systems," its chief executive, Henry Tongue said.

It also reported the incident to the Police, the Privacy Commissioner, Inland Revenue and the Financial Markets Authority.

"Generally what happens with this sort of stuff is it gets put on the dark web, which is a big concern for me," the customer said.

He said there should be consequences for companies that lose clients' data.

"Absolutely. I don't have a clear idea of what should happen but this seems unparalleled to me, and it should serve as a wake up call, particularly to financial services providers... They're huge targets for hackers because they hold such valuable information. It's extremely disappointing."

Generate said it unreservedly apologised to all of its members.

"We are working hard to assist the members that are directly affected by this, and to enhance the security of our systems to prevent this type of incident occurring again in the future," Tongue said.