20 February 2020
An important update for members whose personal data was compromised
We understand this has been a difficult time for our members whose personal information was illegitimately accessed in a breach of our online application system recently. As well as creating uncertainty and concern, it has created inconvenience and demands on those members’ time in terms of taking action to minimise their risks from having personal information compromised.
In this context, while we are under no obligation to do so, we have reviewed the situation and decided we will reimburse members for the cost of replacement photo ID (NZ Passport or NZ Drivers Licence) if the photo ID they supplied to us was affected in the data breach and was still valid on 29 December 2019. Members should log-in to their online account to check whether or not their photo ID was compromised. Eligible members* will need to apply to us for reimbursement of the cost of their replacement Passport or Drivers Licence by 31 March 2020.
For those members who had photo ID compromised but choose not to apply for new documents, or for members who miss the 31 March 2020 deadline, we will waive Generate’s annual member fee of $36 for 12 months.
In recognition of the wider impact on other members whose personal information was accessed but whose photo ID was not compromised, we will also extend this waiver of Generate’s member fee for 12 months to them.
The waiver of Generate’s member fee for the next 12 months will be applied to members’ accounts automatically (no action is required from any affected members to receive this member fee waiver).
To reiterate, the offers that we have noted above are made on an ex gratia basis without any admission of liability and are in addition to the other actions we have taken in response to this incident, including:
We hope that the offers and steps we have outlined in this ongoing breach response from Generate helps to demonstrate to all of our members how valued you all are to us. In this respect, we will also continue to focus on investment performance, building on our track record to date as one of New Zealand's top performing KiwiSaver schemes.
*How do I know if I am eligible for reimbursement of the costs or replacing ID?
Please log in to your Generate Online Account and check if the document was compromised.
Check the expiry date of the ID was dated on or after 29 December 2019 on your Generate Online Account.
Check the expiry date of the ID. If the expiry date is after your 18th birthday then you are eligible. This is on the basis that those under 18 are at much lower risk of financial harm from identity theft. However, these members who in ineligible for the reimbursement will still be eligible for the $36 annual member fee waiver.
How do I replace my driver licence?
Generate will reimburse affected members at a cost up to $38.20 (including GST) being the cost for replacement of a NZ Drivers Licence. Generate will reimburse up to this same amount for a replacement of a foreign Drivers Licence.
How do I replace my passport?
Online applications will be emailed a receipt automatically. Paper applications will need to request a receipt from the Department of Internal Affairs.
Generate will pay for a replacement for affected members at a cost up to $111 (including GST) for eligible children or $191 (including GST) for eligible adults. Generate will reimburse up to this same amount for a replacement of a foreign Passport.
How do I replace my NZ Firearms Licence?
Generate will reimburse for a replacement for a NZ Firearms Licence up to a cost of $126.50 (incl GST) being the Licence fee before expiry of last licence.
What if I have a different primary Photo ID?
How can I claim reimbursement of ID?
Email firstname.lastname@example.org with:
If you prefer not to provide your bank account number to us, let us know and we can deposit these funds into your KiwiSaver or unit trust account directly. It’s important to note that under the KiwiSaver account option, access to those funds will be subject to usual KiwiSaver access rules.
Please note: Generate will only reimburse for driver licences and passports issued in NZ that were accessed in the recent data incident. Members can confirm which documents, if any, were accessed by logging in online to their Generate member account.
How do I choose to have my annual member fee waived for 12 months?
If your personal information was compromised and you are not eligible for reimbursement for replacement photo ID (or you are eligible but do not opt to seek reimbursement of costs for replacement photo ID), you do not need to do anything to receive the waiver of Generate’s $36 annual member fee. We will automatically apply this for all affected members from 1 April 2020, except for those who have submitted a valid claim by 31 March 2020 for reimbursement of costs for replacement photo ID.
12 February 2020
Last week we became aware that an unidentified third party gained unauthorised access to our website’s online application system between 29 December 2019 and 27 January 2020 and was able to capture the personal information of some of our members.
While this is a serious matter, it’s important that we emphasise that this incident in no way compromised our members’ savings, as these are held by Public Trust in a completely different system.
As soon as we became aware of the incident, we took immediate steps to further strengthen security of our online applications website and wider IT systems. Our next immediate focus was to identify which of our members’ data was accessed and exactly what data was involved. This enables us to provide clear and accurate information to each member. All Generate members should now have received an email which informs them whether or not their data has been accessed, and provides information on further steps that affected members can take in response to this incident. In addition, we have been working closely with external cyber security specialists to fully investigate the circumstances of this incident and advise us on any further steps we should take.
We have also notified the Privacy Commissioner, the Financial Markets Authority, Inland Revenue and reported the incident to the New Zealand Police.
As an organisation, we take the protection of our members’ data very seriously. Unfortunately, malicious attacks of this nature are becoming more common globally. In response to this incident, we have already taken a number of actions to further strengthen our security, and are implementing an ongoing programme of testing and refinement of our systems. Notwithstanding this, we sincerely apologise to our members who have been affected.
Please see below some FAQs for further important information.
Frequently Asked Questions
Q1: Have I been affected?
A: If you are a Generate member, you should have received an email that clearly states whether or not your personal information was accessed. You can also safely log in to your account for specific information on what personal data of yours was accessed. If you have not received an email from us, or you still have questions, please call 0800 086 086 to speak with our team.
Q2: How many people have been affected?
A: Approximately 26,000 of the 90,000 clients that have joined Generate over the last 7 years have had personal information accessed illegitimately.
Q2: What kind of personal information was accessed?
A: Solely information that is held in our online application database has potentially been compromised. Investment data is held in a completely separate system and was not affected. Members whose data was affected should have received an email outlining what types of information was involved. They can also safely log in to their Generate account to see specifically what information of theirs was accessed.
Q3: Has my password to my Generate online account been copied?
A: No – your password has not been compromised.
Q4. Are my savings safe with Generate?
A. Yes, your savings are safe. They are held in a separate system to the one that was accessed. Your funds are held by a custodian - Public Trust - which is a Crown entity that has been looking after the interests of New Zealanders since 1873.
Q5. How do I minimise the risks from identity theft?
A. You should consider taking the following steps to further protect yourself:
Q6. If someone has copied my ID document(s) could they have withdrawn my money from Generate?
A. While a fraudulent application for withdrawal could have been made using illegitimately obtained personal information, there is no evidence this has occurred. Furthermore, additional security measures have been put in place to prevent this from happening.
Q7. Why does Generate hold this much personal information about its members?
A. It is a legal requirement under New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism and KiwiSaver regimes.
Q8. How do I know this will not happen again?
A. Unfortunately, malicious attacks of this nature are becoming more common globally. In response to this incident, we have already taken a number of actions to further strengthen our security, and are also working with leading cyber security specialists to ensure rigorous, ongoing programme of testing and enhancement of our systems to further minimise risk.
Q9. I haven’t received an email about this yet, how do I know if I’m affected?
A. We emailed all members yesterday but are aware some emails have gone to spam or the email address we have is no longer current. Generate proactively contacted the media about this incident and posted on social media so that anyone who didn’t receive this email, could find out about this incident, contact us or log in to their online account to find out whether they have been affected. You can log in to your member account at www.generatewealth.co.nz.
Q10. I want to extend my credit suppression for longer than 10 days, what is the police reference number?
A. The police reference number is 200207/0175.
If you have any further questions after reading these FAQs, please call us on 0800 086 086.