The Department of Internal Affairs (DIA) says more than 1300 New Zealanders have had their passport details stolen in a massive hack on money lender Latitude Financial.
Tens of thousands of other Kiwis are believed to have had copies of their driver's licences taken too.
Last week, Latitude Financial revealed the hack on its databases had impacted more than 328,000 customers in New Zealand and Australia. The company operates finance companies Genoapay and Gem Visa among others.
Despite the breach, DIA general manager of services and access Julia Wootton said it was not necessary to replace passports.
"We have assessed the risk and determined that people do not need to apply for a new passport. Our Department has robust controls that protect passports from identity takeover, including sophisticated facial recognition technology," she said.
Woolton told Newshub it's possible the number of people affected could rise.
"We are currently aware of 1342 and are working closely with Latitude to identify any other impacted passport holders."
Cert NZ incident response manager Jordan Heersping told Newshub identity theft is the primary reason for such large-scale cyber attacks.
"Passports are a really, really valuable source for attackers in these situations. They have a lot of personal information on them and that kind of information can be used to open bank accounts or credit cards, take out loans, order goods and services."
Latitude Financial Services chief executive Ahmed Fahour said the company was working with Waka Kotahi and the DIA to determine whether documents need to be replaced.
But Heersping said his advice was to take a cautious approach. He said it's possible some stolen data would just be cast aside but the possibility remained that such data could be used for nefarious purposes.
"If your documents have been compromised we strongly urge you to renew them as soon as possible. Waiting may mean having to repair damage which is not as easy as heading it off before it can start."
The attack happened after hackers used an employee login to gain access to customer databases. Latitude has apologised for the breach, but has not contained the attack with most of its services still being offline.
Fahour said Latitude would foot the bill for any identity documents that need to be replaced.
"We are currently working with government agencies on the process to replace your stolen identity document (where necessary) at no cost to you."
