Squirrel data breach: Overseas hacker suspected as up to 600 customers have licence, passport numbers compromised

Passport and driver licence numbers were stolen in the hack but images of people were not, Squirrel said. Photo / 123rf

Lending and investment company Squirrel and up to 600 customers have been the target of a cyber attack.

Driver licence numbers and passport numbers were among material stolen in the breach, the company said.

“We found out there was an issue on Sunday morning,” Squirrel chief operating officer Dave Tyrer told the Herald.

He said it took until yesterday to confirm what, if any, personal data had been breached, and alert customers.

“It’s not always easy to get the information you need, when you need it, in these situations.”

Tyrer said based on investigations so far, Squirrel was “99.9%” sure an overseas actor or actors carried out the breach.

Squirrel received no ransom demand or other contact from the attacker or attackers, he said.

“They can’t hold us to ransom or anything like that. None of Squirrel’s direct systems are compromised.”

He said the breach happened on a third-party system used for anti-money laundering and know your customer (KYC) verification.

But Squirrel took responsibility and that third party provider’s other customers were not compromised, Tyrer said.

“To be clear, the breach is on Squirrel and not on them as a provider.”

He said Squirrel had taken steps to close the weakness the hacker or hackers exploited and reduce the chances of a similar incident happening again.

The Office of the Privacy Commissioner had been told about the data breach, he said.

“We’re 100% reimbursing any customer that wishes to replace their driver’s licence or passport.”

Photos on the licences and passports had not been stolen or compromised, he said.

A Herald reader today said his details were among those taken and he was not impressed.

“Squirrel got hacked and my details stolen. They offered me $27 compensation to replace my driver’s licence. I believe this is unacceptable.”

He forwarded an email in which Squirrel said the “information extracted” included his driver licence number, expiry date and version number, as well as his name, and his address details, if those were printed on his licence.

The hack might remind some people of the Latitude-Genoapay data breach but Tyrer said the Squirrel breach, though serious, was on a smaller scale and less severe.

It impacted customers who signed up with Squirrel between June 20 and July 20.

“The majority of them were registered to become an investor with Squirrel,” Tyrer said.

He said he could not be certain what the motivation for the attack was.

“Identity data can be valuable [but] typically it’s only valuable if you also have the image related to the customers.”

The company said no other customers were impacted and no customers had user names, passwords, or bank account details compromised.

Tyrer said various alerts on Sunday notified Squirrel of a potential problem but for security reasons he did not want to elaborate on what those alerts were.

He said he believed Squirrel’s response time from the first alert to breach confirmation was in line with how many other companies would or could respond.

He said affected customers could phone 0800 212 230 or email money@squirrel.co.nz.

Squirrel provides peer-to-peer lending and investing as well as mortgage brokering services.