Privacy-related Data Security Incident

Important update 30 April 2020 - Due to COVID-19 we have extended our offer to give you time to replace ID

For any members that did not have the ability to register for ID reimbursement due to COVID-19 restrictions, we will continue to assess claims until the 28th of July 2020. Please send through your invoice to

Members that register their intent for ID reimbursement will not be eligible for the $36 member fee waiver. The member fee waiver will automatically be applied to all affected members who do not take up the ID reimbursement offer. The waiver will apply for one year from 1 April 2020.

Summary of incident

We understand this has been a difficult time for our members whose personal information was illegitimately accessed in a breach of our online application system last year. As well as creating uncertainty and concern, it has created inconvenience and demands on those members’ time in terms of taking action to minimise their risks from having personal information compromised.

In this context, we have reviewed the situation and decided we will reimburse members for the cost of replacement photo ID (NZ Passport or NZ Drivers Licence) if the photo ID they supplied to us was affected in the data breach and was still valid on 29 December 2019. Members should call us to check whether or not their photo ID was compromised.

In recognition of the wider impact on other members whose personal information was accessed but whose photo ID was not compromised, we will also provide a waiver of Generate’s member fee for 12 months, which will be backdated and apply from 1 April 2020.

This will be applied to members’ accounts automatically (no action is required from any affected members to receive this member fee waiver).

To reiterate, the offers that we have noted above are made on an ex gratia basis without any admission of liability and are in addition to the other actions we have taken in response to this incident, including:

  • Engaging cybersecurity experts to immediately secure our online application system and to undertake a broader audit and testing of all of our systems; and
  • Engaging IDCARE, an independent identity and cybersecurity organisation, to provide affected members with specialist advice and assistance.

We hope that the offers and steps we have outlined in this ongoing breach response from Generate help to demonstrate to all of our members how valued you all are to us. In this respect, we will also continue to focus on investment performance, building on our track record to date as one of New Zealand's top-performing KiwiSaver schemes.

*How do I know if I am eligible for reimbursement of the costs of replacing ID?

  • Was my Drivers License, Passport or Firearms licence compromised?

Please call us on 0800 855 322 and we can help you with specific details on what was compromised. 

  • Was it valid at 29 December 2019?

Check the expiry date of the ID was dated on or after 29 December 2019 by calling us on 0800 855 322.

  • If I am under 18 am I eligible?

Check the expiry date of the ID. If the expiry date is after your 18th birthday then you are eligible. This is on the basis that those under 18 are at much lower risk of financial harm from identity theft. However, these members who are not eligible for the reimbursement will still be eligible for the $36 annual membership fee waiver.

How do I replace my driver licence?

  • To replace a driver licence, complete this form and visit either the AA or VTNZ with evidence of your identity (either your existing driver licence or passport).
  • Pay the licence renewal fee and keep a copy of the receipt.

 Generate will reimburse affected members at a cost up to $38.20 (including GST) being the cost for replacement of a NZ Drivers Licence. Generate will reimburse up to this same amount for a replacement of a foreign Drivers Licence.

How do I replace my passport?

Online applications will be emailed a receipt automatically. Paper applications will need to request a receipt from the Department of Internal Affairs.

 Generate will pay for a replacement for affected members at a cost up to $111 (including GST) for eligible children or $191 (including GST) for eligible adults. Generate will reimburse up to this same amount for a replacement of a foreign Passport.

How do I replace my NZ Firearms Licence?

 Generate will reimburse for a replacement for a NZ Firearms Licence up to a cost of $126.50 (incl GST) being the Licence fee before expiry of the last licence.

What if I have a different primary Photo ID?

 If your primary photo ID can be used to obtain credit or at high risk of harm from identity theft we will consider reimbursement of replacement on a case by case basis. Please email us at

How can I claim reimbursement of ID?

Email with:

  • A copy of the receipt for replaced ID; and
  • Your bank account number for reimbursement to be paid into.

If you prefer not to provide your bank account number to us, let us know and we can deposit these funds into your KiwiSaver or Manage Fund account directly. It’s important to note that under the KiwiSaver account option, access to those funds will be subject to usual KiwiSaver access rules. 

Please note: Generate will only reimburse for driver licences and passports issued in NZ that were accessed in the recent data incident. Members can confirm which documents, if any, were accessed by calling us on 0800 855 322.

How do I choose to have my annual member fee waived for 12 months?

If your personal information was compromised and you are not eligible for reimbursement for replacement photo ID (or you are eligible but do not opt to seek reimbursement of costs for replacement photo ID), you do not need to do anything to receive the waiver of Generate’s $36 annual membership fee. We will automatically apply this for all affected members, except for those who have submitted a valid claim for reimbursement of costs for replacement photo ID. All other fees will continue to apply.

12 February 2020

Last week we became aware that an unidentified third party gained unauthorised access to our website’s online application system between 29 December 2019 and 27 January 2020 and was able to capture the personal information of some of our members.

While this is a serious matter, it’s important that we emphasise that this incident in no way compromised our members’ savings, as these are held by Public Trust in a completely different system.

As soon as we became aware of the incident, we took immediate steps to further strengthen the security of our online applications website and wider IT systems. Our next immediate focus was to identify which of our members’ data was accessed and exactly what data was involved. This enables us to provide clear and accurate information to each member. All Generate members should now have received an email which informs them whether or not their data has been accessed and provides information on further steps that affected members can take in response to this incident. In addition, we have been working closely with external cybersecurity specialists to fully investigate the circumstances of this incident and advise us on any further steps we should take.

We have also notified the Privacy Commissioner, the Financial Markets Authority, Inland Revenue and reported the incident to the New Zealand Police.

As an organisation, we take the protection of our members’ data very seriously. Unfortunately, malicious attacks of this nature are becoming more common globally. In response to this incident, we have already taken a number of actions to further strengthen our security and are implementing an ongoing programme of testing and refinement of our systems. Notwithstanding this, we sincerely apologise to our members who have been affected.

Please see below some FAQs for further important information.

Frequently Asked Questions

Q1: Have I been affected?

A: If you are a Generate member, you should have received an email that clearly states whether or not your personal information was accessed.  If you have not received an email from us, or you still have questions, please call 0800 855 322 to speak with our team.

Q2: How many people have been affected?

A: Approximately 26,000 of the 90,000 clients that have joined Generate over the last 7 years have had personal information accessed illegitimately.

Q2: What kind of personal information was accessed?

A: Solely information that is held in our online application database has potentially been compromised. Investment data is held in a completely separate system and was not affected. Members whose data was affected should have received an email outlining what types of information was involved. Impacted members can call us on 0800 855 322 so we can assist them with specific information around what was accessed. 

Q3: Has my password to my Generate online account been copied? 

A: No – your password has not been compromised.

Q4. Are my savings safe with Generate?

A. Yes, your savings are safe. They are held in a separate system to the one that was accessed. Your funds are held by a custodian - Public Trust - which is a Crown entity that has been looking after the interests of New Zealanders since 1873.

Q5. How do I minimise the risks from identity theft?

A. You should consider taking the following steps to further protect yourself:

  • change passwords for online services and make the passwords very difficult to guess;
  • closely monitor bank account and credit card accounts for any suspicious transactions;
  • contact your bank or card issuers and tell them you have had your personal data compromised;
  • contact your bank or card issuers straight away if you notice any suspicious activity or unusual payments that you do not recognise;
  • Notify the credit agencies and register to receive alerts informing you if anyone tries to obtain credit in your name. Information on how to do this can be found here Credit suppression and here Credit Reports. Also, see
  • We understand you may have a number of questions relating to the security of your personal information. We have engaged the services of IDCARE, an independent identity and cybersecurity organisation, to provide you with specialist advice and assistance. You may contact IDCARE via the referral code KWB-IDC20 either through its online Support Request Form ( or by calling 0800 201 415 during business hours (Monday to Friday 10:00 am – 8:00 pm NZST). IDCARE has further resources available at its online Learning Centre (
  • consult the Department of Internal Affairs website for information about protecting identity and minimising the effects of identity crime:
  • contact the Office of the Privacy Commissioner for further guidance on rights under the Privacy Act by visiting the Office of the Privacy Commissioner’s website:

Q6. If someone has copied my ID document(s) could they have withdrawn my money from Generate?

A. While a fraudulent application for withdrawal could have been made using illegitimately obtained personal information, there is no evidence this has occurred. Furthermore, additional security measures have been put in place to prevent this from happening.

Q7. Why does Generate hold this much personal information about its members?

A. It is a legal requirement under New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism and KiwiSaver regimes.

Q8. How do I know this will not happen again?

A. Unfortunately, malicious attacks of this nature are becoming more common globally. In response to this incident, we have already taken a number of actions to further strengthen our security, and are also working with leading cybersecurity specialists to ensure a rigorous, ongoing programme of testing and enhancement of our systems to further minimise risk.

Q9. I haven’t received an email about this yet, how do I know if I’m affected?

A. We emailed all members yesterday but are aware some emails have gone to spam or the email address we have is no longer current. Generate proactively contacted the media about this incident and posted on social media so that anyone who didn’t receive this email, could find out about this incident. If you did not receive this email, you can contact us to find out if you have been affected, please call us on 0800 855 322.

Q10. I want to extend my credit suppression for longer than 10 days, what is the police reference number?

A. The police reference number is 200207/0175.

If you have any further questions after reading these FAQs, please call us on 0800 855 322.