The online data breach reported by Generate last week is unlikely to reflect a systemic problem across the industry, according to chief executive, Henry Tongue.
It is understood other KiwiSaver providers and fund managers are reviewing security procedures following the Generate client data leak.
However, Tongue said the hack exploited a “specific issue with our system which we were able to rapidly identify and secure”.
“We do not believe that this was a systemic issue, based on what we identified,” he said.
Tongue said in the wake of the breach Generate moved to “immediately secure our system, and begin comprehensive audit and testing to identify ways we can further enhance our security against malicious attack”.
He said moving to a new system would “not be feasible, and… would obviously create its own risks”.
Almost a third of the 90,000 Generate investors have been affected by the personal data breach, the Auckland-based boutique reported last week..
In a statement, Generate said that “some of its members’ personal information has been accessed illegitimately” in a malicious attack on its online application system dating from late last year until January 27.
However, the breach, which may have affected some 26,000 Generate investors, has not threatened member funds, which are held in custody by Public Trust while MMC provides registry and fund accounting services.
“We want to be clear that the incident did not affect members’ investment data, which is held by Public Trust in a completely separate system, and no account information (including passwords and transaction records) has been accessed,” Tongue said. “As no credit card information is captured during the online application process, it wasn’t in the system so was never at risk.”
But the hackers may have stolen personal member information including name, address, IRD number and, in some cases, identification and proof of address documentation, he said.
“There are some differences in exactly what data was involved for each affected member, so we’ve sent them personalised emails recommending they safely log in to their Generate account to see exactly what information or documents were accessed,” Tongue said.
To date, no Generate investors have reported any suspicious activity in other financial accounts. The group has recommended that affected members change online passwords and closely monitor bank and credit card accounts.
Generate has alerted the Police, the Financial Markets Authority, the Privacy Commissioner and Inland Revenue in the wake of the data incursion.
Tongue said it was “unlikely” that the culprits would be discovered.
“While we’re obviously pursuing this line of enquiry, our priority has been immediately securing our online application system, working with leading cyber security specialists to do a comprehensive audit and testing of all our systems, and assisting our affected members to further minimise their risk by providing them with the detailed information they need,” he said.
The firm has hired cyber security firm IDCARE to help Generate members affected by the breach.
Generate has about $1.5 billion under management, mostly in its fast-growing KiwiSaver scheme. The firm is contacting all members stung by the online breach, Generate says in the statement.
“As an organisation, we take the protection of our clients’ data very seriously, and we unreservedly apologise to all of our members for this situation,” Tongue said. “We are working hard to assist the members that are directly affected by this, and to enhance the security of our systems to prevent this type of incident occurring again in the future.”
Generate said only information “held in our online application database has potentially been compromised”.
The manager has added a link on its website for those seeking further detail.up