$500 gone from bank account, Generate KiwiSaver member blames hack

Friday, 14 February 2020

The bank reversed a $500 charge that was loaded against his account after the hack.

Auckland man Jake, whom Stuff has agreed not to identify, says he might have been able to avoid having money stolen from his bank account had he been aware that his KiwiSaver provider had been hacked.

Provider Generate revealed this week that its records had been accessed 'illegitimately' between December 29 and January 27.

Hackers stole members' personal information, including names, addresses, IRD numbers, and potentially ID and proof of address documentation.

Their KiwiSaver savings were not affected.

* BNZ struggled to abide by anti-money laundering laws**

Jake, who did not want to be identified, said his bank account was compromised on February 7, and more than $500 was taken. He said he felt that, if he had known about the Generate problems earlier, that might have been able to be avoided.

An attempt was made to log in to the man's Netflix account.

A payment was processed for $500 Airpods on eBay. 'They list it to effectively sell it to themselves using someone else's card. It was all the money I had in my current account.'

The bank had since reversed the charges. He said it seemed unlikely it was not related to the Generate hack.

He said he was concerned at the idea that the hackers might now have a colour copy of his passport. The Department of Internal Affairs had loaded an alert so that if anyone tried to use it to certify identification, he would be contacted.

Since the hack, there had been attempts made to sign in to his Netflix account from California, he said. 'They've got my email address and they've gone site by site with the password I had [for Generate]. It just happened to be the same password for two accounts.'

It made it clear to him how easily identity theft could happen, he said. 'I never thought it would happen to me.'

More Kiwis are being targeted online. Published on November 1.

Generate chief executive Henry Tongue said people who thought their misappropriated personal data has been used fraudulently in any way, should report it to the organisation/company that processed the fraudulent transaction and notify the Police as well as credit agencies to immediately request credit suppression.

'There is no evidence of fraudulent activity in Generate's own member accounts, and additional security measures were immediately put in place to prevent this from happening.'

The main banks said they had not yet seen any criminal activity as a result of the Generate breach.

University of Auckland associate professor Gehan Gunasekara, who specialises in information privacy law, said the company should take steps to mitigate the impact on clients, such as paying for replacement identification documents for those who were affected.