The company said about 103,000 ID documents, more than 97 per cent of which were copies of drivers’ licences, were stolen from one service provider.
And about 225,000 customer records were stolen from a second service provider, Walduck added.
The email did not specify which providers were affected but Genoapay customers received the notice and the company also operates consumer finance company and lender Gem in New Zealand.
ASX-listed Latitude Financial Services owns Genoapay.
The attacker was reportedly able to obtain employee login credentials and steal the documents before the incident was isolated.
Business News Australia said Latitude Financial went into a trading halt before telling the ASX about a “sophisticated and malicious” cyber incident.
Walduck said the company would contact people directly if their personal information was disclosed.
“We are working with the relevant authorities and have engaged cybersecurity specialists as we continue to do everything in our power to contain the attack.”
Genoapay last month announced it was leaving New Zealand. It previously processed applications relying on information people provided.
Credit reports could disclose the frequency of credit applications, previous defaults, court actions, previous bankruptcies or unsatisfactory repayment information.
On February 17, Latitude announced a full-year net profit after tax of A$36.3 million ($39.1m) for the year to December 31.
That was 77 per cent down on the A$160.3m made in the previous financial year.
When it announced Genopay’s departure from New Zealand, the company said it would exit New Zealand on April 11.
Genopay had made the decision to close its buy now pay later offering in New Zealand and Australia after completing an extensive strategic review of the service, the company said.
Where to get help