A victim of a cyber attack fears personal information could end up for sale on the dark web.
Copies of thousands of New Zealand drivers' licences were stolen in the breach, which targeted a digital payment company.
Genoapay marketed itself as a simple and safe way to shop because people only need a New Zealand driver's licence and either Visa or Mastercard.
The buy now, pay later service owned by Latitude Financial was hit by hackers on Thursday.
Among the stolen personal information were copies of New Zealand drivers' licences.
"Worst case scenario would be that my information is used on the dark web and they sell a lot of information on there from driver's licences, full names and date of birth and all that sort of stuff," cyber attack victim Maddie Stevens told Newshub.
At least 328,000 Kiwi and Australian customers were affected by the hack.
Latitude Financial said it "apologises to its customers" and is doing "everything in our power to contain the attack".
Stevens said the hack is a reminder to everyone.
"The providers that are holding your information - what are their security protocols actually to cover that."
Although it's not known what's happened to his stolen data - selling personal information on the dark web is widespread.
In 2022, cyber security firm NordVPN found a New Zealand driver's licence sold for as little as $5.16 on the dark web, someone's Netflix account details for $6.30, a hacked Uber account can be purchased for $7.80 and payment card data was the most expensive at $12.00.
Chapman Tripp partner and cyber security expert Kelly McFadzien said the Genoapay hack was a significant one.
"It's a global business and it doesn't really matter where the hackers are - they are just trying any door until they find an unlocked one," McFadzien told Newshub.
In the Genoapay case, the attacker used an employee's login details to gain access to databases.
McFadzien said customers that were affected by the hack don't need to cut up their cards.
"In and of itself your driver's licence information being out there isn't necessarily the problem, it's then how it might get used."
McFadzien said people who were affected should monitor their accounts instead.
"Keeping an eye on transactions, keeping an eye on suspicious emails."
She said internet security often falls down the list of priorities for businesses - but with the rising number of attacks - it should always be high on the agenda.
