Generate, the 10th largest KiwiSaver provider as claimed was hit by a data breach in December 2019 affecting sensitive information of members. Generate did not comment on the extent of the data breach, but admitted that all information uploaded in the membership application system has been accessed by third parties. This has put members at risk of identity theft and face possible damages including a damaged reputation.
Depending on the information obtained, cybercriminals can sell them on the dark web to other criminals who will actively engage them in targeted phishing campaign. According to the statement released by the KiwiSaver provider, hackers took advantage by exploiting their weaker online application membership system between 29 December 2019 and 27 January 2020.
Image Source: www.newshub.co.nz
According to the report, personal names and addresses, photographic identification and Inland Revenue tax identification numbers of about 26,000 members were affected in the breach. The website demands applicants to submit copies of the photographic identifications like driver’s license and passports, and the withholding tax rate that applies to the applicant in addition to the other personal information. The report revealed that out of the 90,000 people who have invested their KiwiSaver fund with Generate since their operation started 7 years ago, 26,000 of them were affected by the breach. They still have about 70,000 active members using their services. The KiwiSaver provider assured that no investment fund was affected in the breach since they are kept separately in a trust.
It was reported by the CEO of Generate Henry Tongue, that they have made effort to contact all Generate members to find out if they were affected in the breach. The Privacy Commissioner, the Finance Market Authority, and Police and Tax Department have been notified of the necessary measures to be taken. Generate is the 11th largest KiwiSaver provider by funds under management according to the report. It was estimated that they have about $1.8 billion members savings. Out of the $63.1 billion market shares, the company has about 2.9% shares. The company is very prominent and has a good standing in its operation. However, there was a vulnerability that was unknown by them but known to hackers.
The company has 28 shareholders, and some of them are Mark Weenink, Westpac New Zealand’s General Counsel, and General manager of Regulatory Affairs. Hackers are no respecter of companies and as long as a company hosts personal information, it is a primary target.
The Inland Revenue Department has confirmed that they have been notified of a data breach that has hit the KiwiSaver provider. According to them, they are working around the clock in a bid to put measures in place to ensure that the stolen information is not used by the cybercriminals. The possible scenario when cybercriminals get hold of this information is that they may attempt to access the Inland Revenue System with the stolen information. They have clarified that they have not recorded any incident of criminals attempting to use their system with the stolen information.
Tongue admitted that data breach incidents of this nature against companies and service providers have become rampant both in New Zealand and across the world. Hackers mostly start this attack with a simple targeted phishing campaign. They mostly send malicious emails to an employee and attempt to infiltrate their system after downloading malicious attachments or visiting a malicious website.
Some hacker group uses ransomware for this operation as it has the capability to exfiltrate data and encrypt files at the same time to demand ransom or sell the obtained information on the dark web. The KiwiSaver provider has stated that though there may be a fraudulent application by cybercriminals for withdrawal using the illegitimately obtained information, there is no evidence of such.
Image Source: www.newshub.co.nz
Also, it is likely that the passwords have been changed, there is no evidence that the attackers have compromised the passwords use to access personal information. Companies that host a bunch of personal information of members are solely responsible for any form of a data breach that put sensitive information at risk. Various agencies and organizations must prioritize cybersecurity and treat personal information with all kinds of importance to avoid incurring higher costs after the breach.
2019 was a year full of data breach especially in the latter part of the year. It is important for companies to update their cybersecurity tools to the latest release and try as much as possible to patch all security flaws before hackers take advantage. It is expected that companies prepare for the months ahead to be able to deal with a data breach which has been predicted to increase even higher.
Source: NZ Herald
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.