SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
KiwiSaver firm Generate hit by data breach
Thu, 13th Feb 2020
FYI, this story is more than a year old

KiwiSaver provider Generate has published details of a breach that has affected approximately 26,000 of its 90,000 customers, putting personal information at risk.

Between 29 December 2019 and 29 January 2020, the company alleges that an ‘unidentified' third party gained access to its online application system and captured personal information belonging to some of its members.

KiwiSaver investment funds were not affected in the breach, because they are held in a public trust on a different system.

While some worry that the stolen personal information could be used to make fraudulent KiwiSaver withdrawals, Generate says there is no evidence this has occurred so far. Additionally, the company has put in additional security measures to stop it from happening.

The stolen information could also be used to commit identity theft. To prevent identity theft, Generate suggests that customers:

  • Change passwords across all online services to strong ones that are hard to guess
  • Closely monitor credit cards and bank accounts for suspicious transactions
  • Contact the credit agencies and register for alerts that inform you if someone tries to get credit in your name.

Generate says it has notified customers as to whether their information was stolen in the breach. Current passwords were not affected.

The company says, “If you are a Generate member, you should have received an email that clearly states whether or not your personal information was accessed. You can also safely log in to your account for specific information on what personal data of yours was accessed. If you have not received an email from us, or you still have questions, please call 0800 086 086 to speak with our team.

Generate explains that as soon as it was made aware of the breach, the company immediately strengthened security of its online applications website, and its wider IT systems.

“Our next immediate focus was to identify which of our members' data was accessed and exactly what data was involved. This enables us to provide clear and accurate information to each member.

“In addition, we have been working closely with external cyber security specialists to fully investigate the circumstances of this incident and advise us on any further steps we should take.

Generate is also working with IDCARE, an independent identity and cyber security organisation, to provide you with specialist advice and assistance.

Generate customers can contact IDCARE via the referral code KWB-IDC20 either through its online Support Request Form ( or by calling 0800 201 415 during business hours (Monday to Friday 10:00am – 8:00pm NZST).

Generate has also notified the Financial Markets Authority, Inland Revenue, the New Zealand Police, and the Privacy Commissioner.

“As an organisation, we take the protection of our members' data very seriously. Unfortunately, malicious attacks of this nature are becoming more common globally,” Generate states.

“In response to this incident, we have already taken a number of actions to further strengthen our security, and are implementing an ongoing programme of testing and refinement of our systems. Notwithstanding this, we sincerely apologise to our members who have been affected.