Booster Financial Services chairman Paul Foley said the company immediately investigated and informed affected customers. Photo / Supplied
Booster Financial Services chairman Paul Foley said the company immediately investigated and informed affected customers. Photo / Supplied
Around 7500 customers of Booster Financial Services have had their personal information hacked after a staff member's personal computer was compromised.
The customers were members of Booster's superannuation scheme and data included their name, address, date of birth and email address.
The breach did not affect Booster's KiwiSaver or managedfund members.
Booster Financial Services chairman Paul Foley said the company became aware of a data breach affecting its SuperScheme members on Monday.
"We immediately investigated and informed affected customers. Booster takes the utmost care to look after our customers' privacy and are very disappointed that this mistake has occurred. We apologise to all customers concerned."
Foley said the breach occurred when a staff member's personal computer was compromised.
Hackers have stolen data from financial services provider Booster. Photo / NZME
"By using this computer, the hacker was able to access some customers' personal details. We have let these customers know that their money and investments have not been affected."
He said the staff member was at home sick with Covid-19 and should not have been using their personal computer to access work files as this was against company policy.
Foley said Booster required multifactor authentication (MFA) to access systems but unfortunately, in this case human error occurred and the staff member took the wrong action and allowed access when MFA was triggered.
As a result, data for 7566 members was accessed. The data did not include identification documentation, bank account details or passwords.
Foley said Booster had advised members to be on alert for scams or phishing exercises.
'We are confident this is an isolated incident which resulted from a failure of a staff member to follow the correct procedure.
"We will let customers know if any further relevant information comes to light."
He said Booster did not allow any employee to hold customer information on personal computers.
In this instance, a staff member had accessed the system from their personal computer.
"This isn't usual practice and should not have happened as it subsequently enabled a hacker to control the first step in the login process, using a saved password. In addition, the second security step (MFA) in the log-in process was not effective due to human error."
The company has reported the breach to the Privacy Commissioner and the Financial Markets Authority and would work with them to identify if there were further steps that should be taken.
Booster urged customers to call Booster on 0800 336 338 for any help or support they needed.
Privacy Commissioner Michael Webster said as with any breach, Booster would need to conduct an investigation to fully ascertain the size and scope of the breach.
"Our focus in these early stages is to provide agencies who have experienced a breach with advice on how to minimise the harm caused by the breach on the individuals impacted."
Webster said anyone worried that their privacy had been breached should contact the agency concerned.
"Our office may also able to assist on a case by case basis."
An FMA spokesman said it had been informed of the breach by Booster.
"The first priority is for Booster to manage the incident and we expect to remain informed while the event is managed.
"We have released guidance on our expectations for cyber security and resilience and urge all firms to ensure they are prepared."
It is not the first time a financial services firm has been hacked.
In February 2020, Generate admitted hackers stole photographic identification, tax department numbers, and personal names and addresses of some 26,000 customers of its KiwiSaver scheme in a Christmas holidays raid targeting the most sensitive part of its website.
At the time, Generate said the hack between December 29, 2019 and January 27 the following year exploited weaknesses in its online application process for becoming a KiwiSaver member.
Generate had to shell out about $2 million in remediation to pay for replacement passports and drivers' licenses for its customers.
