Hackers have acquired sensitive information of around 26,000 members of KiwiSaver provider Generate in a Christmas holiday raid.
Generate confirmed that the hackers exploited weaknesses in its online application process – seeking not only the applicant’s full name and personal details but also Inland Revenue Department (IRD) tax number identifications, withholding tax rate, and copies of photographic ID. It said investors’ funds were safe, but affected members might be at risk of identity theft.
Henry Tongue, chief executive of Generate, said they have already taken “immediate action to secure the online application system and is taking further steps to enhance online security.”
“Generate has contacted all of its members individually to confirm whether or not their personal information is among the data that was inappropriately accessed,” Tongue told NZ Herald.
“Unfortunately, malicious attacks of this nature are becoming more common both in New Zealand and globally. We have engaged external cyber security specialists to advise on our immediate response to this situation, as well as to conduct a broader audit and testing of all of our systems. We unreservedly apologise to all of our members for this situation.”
The Government Communications Security Bureau (GCSB) warned New Zealand businesses that hackers have been targeting several sectors in the economy – including major exporters, holders of crucial intellectual property, and operators of critical infrastructure.
However, it found that only a few businesses take information security risks seriously, while some do not even recognise the risk at board level.
“The more organisations can do – on those basics around passwords, around access, around keeping their patches up to date ... the more we will be able to focus on those high-end threats,” Andrew Hampton, director-general of GCSB, explained.