Privacy-related Data Security Incident

20 February 2020 (Updated 26 march 2020) 

An important update for members whose personal data was compromised 

We understand this has been a difficult time for our members whose personal information was illegitimately accessed in a breach of our online application system recently. As well as creating uncertainty and concern, it has created inconvenience and demands on those members’ time in terms of taking action to minimise their risks from having personal information compromised.

In this context, while we are under no obligation to do so, we have reviewed the situation and decided we will reimburse members for the cost of replacement photo ID (NZ Passport or NZ Drivers Licence) if the photo ID they supplied to us was affected in the data breach and was still valid on 29 December 2019. Members should log-in to their online account to check whether or not their photo ID was compromised. Eligible members* will need to apply to us for reimbursement of the cost of their replacement Passport or Drivers Licence by 31 March 2020.

** Due to COVID-19 Level 4 measures we understand eligible members may not be able to replace ID before 31 March 2020. Could those eligible members who do want to take up the reimbursement offer, after the COVID-19 Alert Level has been lowered, please register your intent by 31 March 2020 via email to datasecurity@generatewealth.co.nz. We will notify those members of a reasonable time frame to seek reimbursement after the COVID-19 level is lowered. All members that do register their intent will not be eligible for the $36 fee waiver starting 1 April 2020.** 

For those members who had photo ID compromised but choose not to apply for new documents, or for members who miss the 31 March 2020 deadline, we will waive Generate’s annual member fee of $36 for 12 months. 

In recognition of the wider impact on other members whose personal information was accessed but whose photo ID was not compromised, we will also extend this waiver of Generate’s member fee for 12 months to them.

The waiver of Generate’s member fee for the next 12 months will be applied to members’ accounts automatically (no action is required from any affected members to receive this member fee waiver).

To reiterate, the offers that we have noted above are made on an ex gratia basis without any admission of liability and are in addition to the other actions we have taken in response to this incident, including:

  • Engaging cybersecurity experts to immediately secure our online application system and to undertake a broader audit and testing of all of our systems; and
  • Engaging IDCARE, an independent identity and cybersecurity organisation, to provide affected members with specialist advice and assistance.

We hope that the offers and steps we have outlined in this ongoing breach response from Generate helps to demonstrate to all of our members how valued you all are to us. In this respect, we will also continue to focus on investment performance, building on our track record to date as one of New Zealand's top-performing KiwiSaver schemes.


*How do I know if I am eligible for reimbursement of the costs of replacing ID?

  • Was my Drivers Licence, Passport or Firearms licence compromised?

Please log in to your Generate Online Account and check if the document was compromised.

  • Was it valid at 29 December 2019?

Check the expiry date of the ID was dated on or after 29 December 2019 on your Generate Online Account.

  • If I am under 18 am I eligible?

Check the expiry date of the ID. If the expiry date is after your 18th birthday then you are eligible. This is on the basis that those under 18 are at much lower risk of financial harm from identity theft. However, these members who are not eligible for the reimbursement will still be eligible for the $36 annual member fee waiver.


How do I replace my driver licence?

  • To replace a driver licence, complete this form and visit either the AA or VTNZ with evidence of your identity (either your existing driver licence or passport).
  • Pay the licence renewal fee and keep a copy of the receipt.

Generate will reimburse affected members at a cost up to $38.20 (including GST) being the cost for replacement of a NZ Drivers Licence. Generate will reimburse up to this same amount for a replacement of a foreign Drivers Licence.   


How do I replace my passport?

Online applications will be emailed a receipt automatically. Paper applications will need to request a receipt from the Department of Internal Affairs.

Generate will pay for a replacement for affected members at a cost up to $111 (including GST) for eligible children or $191 (including GST) for eligible adults. Generate will reimburse up to this same amount for a replacement of a foreign Passport.  

 

How do I replace my NZ Firearms Licence?

Generate will reimburse for a replacement for a NZ Firearms Licence up to a cost of $126.50 (incl GST) being the Licence fee before expiry of the last licence. 


What if I have a different primary Photo ID?

  • If your primary photo ID can be used to obtain credit or at high risk of harm from identity theft we will consider reimbursement of replacement on a case by case basis. Please email us at datasecurity@generatewealth.co.nz 


How can I claim reimbursement of ID?

Email datasecurity@generatewealth.co.nz with:

  • A copy of the receipt for replaced ID; and
  • Your bank account number for reimbursement to be paid into.

If you prefer not to provide your bank account number to us, let us know and we can deposit these funds into your KiwiSaver or unit trust account directly. It’s important to note that under the KiwiSaver account option, access to those funds will be subject to usual KiwiSaver access rules. 

Please note: Generate will only reimburse for driver licences and passports issued in NZ that were accessed in the recent data incident. Members can confirm which documents, if any, were accessed by logging in online to their Generate member account.

 

How do I choose to have my annual member fee waived for 12 months?

If your personal information was compromised and you are not eligible for reimbursement for replacement photo ID (or you are eligible but do not opt to seek reimbursement of costs for replacement photo ID), you do not need to do anything to receive the waiver of Generate’s $36 annual member fee. We will automatically apply this for all affected members from 1 April 2020, except for those who have submitted a valid claim by 31 March 2020 for reimbursement of costs for replacement photo ID.



12 February 2020

Last week we became aware that an unidentified third party gained unauthorised access to our website’s online application system between 29 December 2019 and 27 January 2020 and was able to capture the personal information of some of our members.

While this is a serious matter, it’s important that we emphasise that this incident in no way compromised our members’ savings, as these are held by Public Trust in a completely different system.

As soon as we became aware of the incident, we took immediate steps to further strengthen the security of our online applications website and wider IT systems. Our next immediate focus was to identify which of our members’ data was accessed and exactly what data was involved. This enables us to provide clear and accurate information to each member. All Generate members should now have received an email which informs them whether or not their data has been accessed, and provides information on further steps that affected members can take in response to this incident. In addition, we have been working closely with external cybersecurity specialists to fully investigate the circumstances of this incident and advise us on any further steps we should take.

We have also notified the Privacy Commissioner, the Financial Markets Authority, Inland Revenue and reported the incident to the New Zealand Police. 

As an organisation, we take the protection of our members’ data very seriously. Unfortunately, malicious attacks of this nature are becoming more common globally. In response to this incident, we have already taken a number of actions to further strengthen our security, and are implementing an ongoing programme of testing and refinement of our systems. Notwithstanding this, we sincerely apologise to our members who have been affected.  

Please see below some FAQs for further important information.
 

Frequently Asked Questions

Q1: Have I been affected?

A: If you are a Generate member, you should have received an email that clearly states whether or not your personal information was accessed. You can also safely log in to your account for specific information on what personal data of yours was accessed. If you have not received an email from us, or you still have questions, please call 0800 086 086 to speak with our team.

Q2: How many people have been affected?

A: Approximately 26,000 of the 90,000 clients that have joined Generate over the last 7 years have had personal information accessed illegitimately.

Q2: What kind of personal information was accessed?

A: Solely information that is held in our online application database has potentially been compromised. Investment data is held in a completely separate system and was not affected. Members whose data was affected should have received an email outlining what types of information was involved. They can also safely log in to their Generate account to see specifically what information of theirs was accessed.

Q3: Has my password to my Generate online account been copied? 

A: No – your password has not been compromised. 

Q4. Are my savings safe with Generate?

A. Yes, your savings are safe. They are held in a separate system to the one that was accessed. Your funds are held by a custodian - Public Trust - which is a Crown entity that has been looking after the interests of New Zealanders since 1873. 

Q5. How do I minimise the risks from identity theft?

A. You should consider taking the following steps to further protect yourself:

  • change passwords for online services and make the passwords very difficult to guess; 
  • closely monitor bank account and credit card accounts for any suspicious transactions;
  • contact your bank or card issuers  and tell them you have had your personal data compromised;
  • contact your bank or card issuers straight away if you notice any suspicious activity or unusual payments that you do not recognise; 
  • Notify the credit agencies and register to receive alerts informing you if anyone tries to obtain credit in your name.  Information on how to do this can be found here Credit suppression and here Credit Reports. Also, see https://www.privacy.org.nz/further-resources/knowledge-base/view/193?t=13158_17950
  • We understand you may have a number of questions relating to the security of your personal information. We have engaged the services of IDCARE, an independent identity and cybersecurity organisation, to provide you with specialist advice and assistance. You may contact IDCARE via the referral code KWB-IDC20 either through its online Support Request Form (https://www.idcare.org/contact/get-help) or by calling 0800 201 415 during business hours (Monday to Friday 10:00 am – 8:00 pm NZST). IDCARE has further resources available at its online Learning Centre (https://www.idcare.org/learning-centre/learning-centre).
  • consult the Department of Internal Affairs website for information about protecting identity and minimising the effects of identity crime: https://www.dia.govt.nz/Identity---How-to-protect-yourself-from-identity-theft
  • contact the Office of the Privacy Commissioner for further guidance on rights under the Privacy Act by visiting the Office of the Privacy Commissioner’s website: https://www.privacy.org.nz/

Q6. If someone has copied my ID document(s) could they have withdrawn my money from Generate?

A. While a fraudulent application for withdrawal could have been made using illegitimately obtained personal information, there is no evidence this has occurred.  Furthermore, additional security measures have been put in place to prevent this from happening. 

Q7. Why does Generate hold this much personal information about its members?

A. It is a legal requirement under New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism and KiwiSaver regimes. 

Q8. How do I know this will not happen again?

A. Unfortunately, malicious attacks of this nature are becoming more common globally. In response to this incident, we have already taken a number of actions to further strengthen our security, and are also working with leading cybersecurity specialists to ensure rigorous, ongoing programme of testing and enhancement of our systems to further minimise risk.

Q9. I haven’t received an email about this yet, how do I know if I’m affected?

A. We emailed all members yesterday but are aware some emails have gone to spam or the email address we have is no longer current. Generate proactively contacted the media about this incident and posted on social media so that anyone who didn’t receive this email, could find out about this incident, contact us or log in to their online account to find out whether they have been affected. You can log in to your member account at www.generatewealth.co.nz.

Q10. I want to extend my credit suppression for longer than 10 days, what is the police reference number?

A. The police reference number is 200207/0175.

If you have any further questions after reading these FAQs, please call us on 0800 086 086.