Hackers have stolen photographic identification, tax department numbers, and personal names and addresses of some 26,000 customers of boutique KiwiSaver provider Generate in a Christmas holidays raid that targeted the most sensitive part of its website.
In a statement earlier today, Generate admitted the hack, between December 29 and January 27, had exploited weaknesses in the online application process for becoming a Generate KiwiSaver member. No investors' funds are at risk, although all those affected appear to be at risk of identify theft, which can be used for a variety of purposes from online purchases to organised crime.
READ MORE:
• Seven simple tips to keep hackers at bay
• Hack attack puts health details of one million New Zealanders at risk
• Security: Why your CEO could be your weakest link
• Phil Goff's emails hacked - 15,000 emails over 12 years offered for sale
The application process, which remained live on the Generate website this evening, seeks not only full name and personal address details, but also Inland Revenue Department tax number identification, the withholding tax rate applying to the applicant and, most sensitive of all, the uploading of copies of photographic identification: either a passport or driver's licence.
Generate is, according to its own claims, the country's 10th largest KiwiSaver provider by customer numbers, and is the 11th largest by funds under managment, with $1.8 billion in members' savings, according to Morningstar's December 2019 KiwiSaver funds research update, published this week. That gives the company a 2.9 percent share of the $63.1 billion market.