4 Jun 2020

Investigation into data theft from KiwiSaver provider grinds to halt

4:58 pm on 4 June 2020

An investigation into the theft of thousands of customers' data from a KiwiSaver provider has ground to a halt.

CERT - or the Computer Emergency Reponse Team - which was set up two years ago with a budget of $22.2 million over 4 years to help identify and advise on cyber security threats.

Photo: 123RF

In February, Generate KiwiSaver reported that 26,000 of its customers had their addresses, IRD numbers and possibly their passports and drivers' license numbers stolen by a third party.

The company attributed the data breach to a malicious third party attack, and said it had engaged an external cyber security specialist to advise its response to the situation.

At the time the company said it had reported the incident to the police.

However, when Generate KiwiSaver Victims spokesperson John Campbell sought a copy of the police report he was told it did not exist.

In response to his OIA request in April, police said, "we are still awaiting information from Generate and as such I can advise that a police report into this matter does not currently exist."

Campbell said he was "gobsmacked" and "felt sick" to learn that Generate had not followed up the initial complaint.

The company's actions led him to question whether there was poor security rather than a hack.

"It seemed pretty apparent to me that what Generate had done was made all this noise in the media about all the victims, and all the big police reports and there was a sophisticated data theft - when in reality it was nothing sophisticated at all."

In a statement, Generate chief executive Henry Tongue said filing a police report was an essential step to enable affected customers to get credit suppression orders.

"We provided the police with all the information we had at the outset and to the best of our knowledge there are no outstanding information requests from them.

"We engaged the services of independent Siberia security specialists who investigated the incident thoroughly and no new information relevant to a police investigation was uncovered.

"They advised that unfortunately in the majority of cases like this, whereby the perpetrator appears to have a high level of sophistication, they are never found."

The company did not respond to Campbell's claims over its cyber security.

Generate has said money invested with the company is safe as it is held in a separate system.