Cyber security expert accuses hacked KiwiSaver provider of lax approach

Generate says the hacking occurred between December 29, 2019 and January 27, 2020. Photo/File.

A cyber security expert has accused hacked KiwiSaver provider Generate of taking a lax approach to its online security after taking a month to discover the breach.

But Generate's boss Henry Tongue says while it is disappointing its systems took so long what is important is that it acted quickly once it became aware of the situation.

Generate revealed on Wednesday online thieves had stolen photographic identification, tax department numbers, and personal names and addresses of some 26,000 customers in a month long raid between December 29 and January 27.

No investors' funds are at risk, although all those affected appear to be at risk of identify theft, which can be used for a variety of purposes from online purchases to organised crime.

READ MORE:
• Cyber security incidents reported to CERT NZ at all-time high
• Some Toll Group systems offline after suspected cyber attack
• Toll Group scrambles on day four of suspected cyber-attack
• 'Arms race against cybersecurity': New Zealand businesses need to take threats seriously: expert

Daniel Ayers, a cyber security consultant, said there were a few issues which stood out to him about the Generate situation.

He said the timeframe the hack took place over was nearly a month.

"The first thing is it has taken them some time to detect which is a problem."

While the hack happened over the Summer holiday period hackers often deliberately targeted times of the week or year when people took their eye off the ball, he said.

"The fact it took them a month to notice points to their security not being particularly good."

He said the company should have had data loss protection in place which was technology designed to prevent important data from leaving a website.

"It raises questions about whether this company had this in place."

He said the type of data which was stolen was very high level in terms of passports, IRD numbers and drivers licenses.

"This is very sensitive information. I would expect protections to be commensurate with that."

"There is a trail of failure here."

He said the situation showed the company had poor protections which allowed it to be hacked and then couldn't detect it for a month.

It didn't have data loss protection in place otherwise it would have been notified about transfer of passport information, he added.

"That information should be easy to detect as it leaves the system in bulk."

Ayers said the fact the data was from applicants who had signed up over the last seven years meant the company had kept people's sensitive information on a computer system that was accessible by the internet for seven years.

He said information from those no longer a member or not accepted into the scheme should have been removed while those already signed up should have had their data moved to a secure place.

"Why have they accumulated seven years of data on an internet connected system?" he questioned."

He said even if the company's online protection was poor the step of moving the data to a secure place would have protected most people's information.

"There is a real picture of poor security and Privacy Act compliance."

Henry Tongue, chief executive of Kiwisaver provider Generate. Photo/Supplied.

Generate chief executive Henry Tongue said it was disappointing that the systems it had in place to manage and monitor its online security took that amount of time to bring the issue to light.

"...this is one of the things that the extensive broader audit and testing of all of our systems, by cyber security specialists we've engaged, will be looking at.

"What's important is that we acted immediately to secure our online application system as soon as we were made aware of this situation, and are working hard to provide detailed information to our affected clients so that we can assist them to minimise potential risks from this event."

It was Generate's IT team which detected the activity.

Tongue said the company would not comment on the details of its data security systems, as that information could be of use to potential hackers.

He also defended the company's move to hold onto personalised data.

"We have a legal obligation to hold this information under New Zealand's anti-money laundering and countering financing of terrorism legislation to hold this data for five years after the end of the client relationship."

Tongue said while its members' KiwiSaver or other investment accounts were not involved, it absolutely recognised the impact on its affected members.

"We sincerely apologise to all of our members for what has occurred and are working hard to assist those who are directly affected.

"Unfortunately, malicious attacks of this nature are becoming more common both in New Zealand and globally, so constant vigilance is required and we are taking longer term steps to further strengthen the security of our systems. This is a key priority for us alongside continuing to perform strongly as an investment manager to deliver results for our members."

Generate has reported the breach to the Privacy Commissioner, Inland Revenue and the Financial Markets Authority.

A spokesman for the Privacy Commissioner said the unauthorised disclosure of the company's customer information appeared to be the result of a sophisticated and maliciously targeted breach.

It is helping Generate with its breach response.

A spokesman for the FMA said it would be monitoring the situation closely to assess how Generate is meeting its license conditions.

All managed investment schemes, which includes KiwiSaver providers have to have a license to manage money on behalf of retail investors.

What to do if your identity data has been lost in a breach
• Secure the affected account with a new strong password that you haven't used on any other accounts. The best passwords are long, made up of four or more words.
• If the password on a compromised account was used on other accounts, those passwords should also be changed, and all of the new passwords should be different to • If your identity documents have been lost in a data breach, talk to the issuing agency straight away for help. For passports contact the Department of Internal Affairs; for drivers licences contact the New Zealand Transport Agency.
• If personal information has been breached, like birthdates, consider whether you have been using this information to secure other accounts, for instance as passwords or answers to security questions. If you have, those passwords and security answers should also be changed.
• Get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you'll have to contact all of them. You can ask to have your credit record corrected if there's any suspicious activity on it. The Office of the Privacy Commissioner has information on freezing your credit information.
source: CERT NZ.