Cybercrooks maintained access to savings company’s application system for a month

Generate, a savings scheme provider in New Zealand, has reported a security incident impacting around 26,000 customers.

The Auckland-based company – which provides savings funds as part of the government-run KiwiSaver scheme – disclosed today (February 12) that an unauthorized third-party had gained access to its online application system.

Generate said in a statement that the incident had occurred between December 29, 2019, and January 27, 2020. It only discovered the problem late last week, however.

“As soon as we became aware of the incident, we took immediate steps to further strengthen security of our online applications website and wider IT systems,” Generate said.

“Our next immediate focus was to identify which of our members’ data was accessed and exactly what data was involved.”

Information potentially compromised includes that which is “held in our online application database”, Generate said.

The application page on the company's website asks for a range of information, including full name, address, tax identification number, and photo identification such as a passport or driver’s license.

“While a fraudulent application for withdrawal could have been made using illegitimately obtained personal information, there is no evidence this has occurred,” Generate said.

The company added: “While this is a serious matter, it’s important that we emphasise that this incident in no way compromised our members’ savings, as these are held by Public Trust in a completely different system.”

Customers who joined Generate in the last seven years may be affected. The company is sending out emails to informing all of its customers whether or not they are affected.

The email “provides information on further steps that affected members can take in response to this incident”, the company said.

Customers are additionally urged to log in to their Generate account to see if any information may have been accessed.

Generate noted that it had contacted the New Zealand Privacy Commissioner and is working with law enforcement and cybersecurity experts to investigate the cause of the incident.

“In response to this incident, we have already taken a number of actions to further strengthen our security, and are implementing an ongoing programme of testing and refinement of our systems,” it said.

“Notwithstanding this, we sincerely apologise to our members who have been affected.”

The Daily Swig has reached out to Generate for further comment.


YOU MIGHT ALSO LIKE Cyber-attacks on prime New Zealand targets staying below radar for longer