sb-nz logo
Story image

KiwiSaver firm Generate hit by data breach

13 Feb 2020

KiwiSaver provider Generate has published details of a breach that has affected approximately 26,000 of its 90,000 customers, putting personal information at risk.

Between 29 December 2019 and 29 January 2020, the company alleges that an ‘unidentified’ third party gained access to its online application system and captured personal information belonging to some of its members.

KiwiSaver investment funds were not affected in the breach, because they are held in a public trust on a different system.

While some worry that the stolen personal information could be used to make fraudulent KiwiSaver withdrawals, Generate says there is no evidence this has occurred so far. Additionally, the company has put in additional security measures to stop it from happening.

The stolen information could also be used to commit identity theft. To prevent identity theft, Generate suggests that customers:

  • Change passwords across all online services to strong ones that are hard to guess
  • Closely monitor credit cards and bank accounts for suspicious transactions
  • Contact the credit agencies and register for alerts that inform you if someone tries to get credit in your name.

Generate says it has notified customers as to whether their information was stolen in the breach. Current passwords were not affected.

The company says, “If you are a Generate member, you should have received an email that clearly states whether or not your personal information was accessed. You can also safely log in to your account for specific information on what personal data of yours was accessed. If you have not received an email from us, or you still have questions, please call 0800 086 086 to speak with our team.”

Generate explains that as soon as it was made aware of the breach, the company immediately strengthened security of its online applications website, and its wider IT systems.

“Our next immediate focus was to identify which of our members’ data was accessed and exactly what data was involved. This enables us to provide clear and accurate information to each member.”

“In addition, we have been working closely with external cyber security specialists to fully investigate the circumstances of this incident and advise us on any further steps we should take.”

Generate is also working with IDCARE, an independent identity and cyber security organisation, to provide you with specialist advice and assistance. 

Generate customers can contact IDCARE via the referral code KWB-IDC20 either through its online Support Request Form ( or by calling 0800 201 415 during business hours (Monday to Friday 10:00am – 8:00pm NZST). 

Generate has also notified the Financial Markets Authority, Inland Revenue, the New Zealand Police, and the Privacy Commissioner.

“As an organisation, we take the protection of our members’ data very seriously. Unfortunately, malicious attacks of this nature are becoming more common globally,” Generate states. 

“In response to this incident, we have already taken a number of actions to further strengthen our security, and are implementing an ongoing programme of testing and refinement of our systems. Notwithstanding this, we sincerely apologise to our members who have been affected.”

Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More
Story image
Video: 10 Minute IT Jams - Who is LogRhythm?
LogRhythm VP of sales for Asia Pacific Simon Howe, who discusses the company's primary offerings and services, what products the company is focused on for the future, and the infrastructure it has in the A/NZ market.More
Story image
IDC survey: Nearly 1/3 of data-ransomed businesses pay up
A Rubrik-commissioned A/NZ survey by IDC finds that despite only 6% saying they would pay ransomware attackers, the reality is quite different.More
Story image
The three-pronged security approach that confronts security breaches head-on
Having these three processes working in tandem is key to cushioning the blow of a breach - which, if insufficiently protected, can take on average 279 days to contain and costs an average of almost US$4 million.More
Story image
Cybersecurity market continues meteoric ascent
With the increase in cyberattacks, organisations are continuing to spend more money on security. However, without a focused cybersecurity strategy, they often spend it in the wrong areas.More
Story image
Acronis launches data centre in Auckland
It is the first of 111 planned new data centres globally, allowing for the benefits of data localisation, including regional data sovereignty. More