PRIVACY POLICY

Generate Incident

You have been directed here because you selected Generate on our Get Help Form. You will receive an email confirmation and case number for your reference.

If you haven’t heard of IDCARE, we are a national community support organisation that has been engaged by Generate to provide independent support and advice to individuals impacted by this incident. Below is a list of recommendations that make up our Response Plan for you based on our knowledge of the Generate incident. Note that you do not need to do or follow any of the advice. It is advice we offer as a specialist capability for the community that deals with identity theft, cybercrime and scams every day. It is advice that answers the question

(i) what are the risks to my identity from this breach? and

(ii) what can I do proactively beyond what Generate has done to protect against these risks.

Note that we have not had any reports of any of these risks materialising. That doesn’t mean it hasn’t happened, but IDCARE receives about 50,000 engagements a year from across both sides of the Tasman so we are in a pretty good position to pick up if things were to happen.

The response advice is offered for you to consider if you have tried to engage IDCARE out of hours or you want to look at taking some proactive steps to protect your identity information

Please note our services are free and confidential to the New Zealand community and we only need to know how to contact you (email or phone) and your first name (or whatever name you would like to give).

The Response Plan we have formulated for you covers four key areas:  
  1. Your credentials 
  2. Protecting against credit risks (if you believe your driver licence or passport has been exposed)
  3. Protecting your existing accounts 
  4. Proactive measures and what to look for 

Your credentials 

Generate have advised IDCARE that they have created an online portal for customers impacted by this incident for you to confirm what information has been exposed in this incident. The portal is accessed via logging into your online account. If you have not accessed their portal we would strongly encourage you to do so. If you have any questions about the portal or difficulty accessing it please call Generate on 0800 086 086.

 

Inland Revenue, IRD: there is no need for you to contact IRD in relation to this matter. Generate has an arrangement in place with IRD where they have already proactively implemented additional security controls in relation to Generate customers. If you would prefer to speak with IRD directly, they may be called on 0800 775 247.

 

Bank Statement/details: Whilst Generate have put additional controls on their customers’ accounts, many of us have accounts with other financial institutions. We recommend you reach into any other financial institution you have a relationship with and talk to them about what has occurred and whether they can offer additional security measures. Updating your passwords and exploring multi-factor authentication (such as security codes in addition to username and password) is always good practice to protect online accounts.

 

Only if you have checked the Generate portal and you have seen that your licence or passport has been exposed do we recommend you consider the following proactive steps:

 

New Zealand Driver Licence (DL): As only your details have been compromised, and you still have the physical document, it does not affect your ability to use this document with regards to transport matters. However, this information can be used to access products and services from other organisations, including opening new lines of credit in your name. To protect against this there are measures you can take in relation to protecting your credit (see below), as well as replacing your driver licence. If you replace your licence, you will be issued a new 3-digit version number which will help to reduce the risk of fraud. You can do this by calling 0800 822 422 or registering through Real Me and cancelling your current licence and requesting a new one. Note that there is a fee associated with changing your licence number.

  

Passport: The compromise of passport information does not impact or preclude you from travelling. However,like a driver licence, this information may be used to access products and services from other organisations, including opening new lines of credit in your name. If you replace your passport it is likely to reduce any risks relating to the former passport’s misuse. For New Zealand passport holders,please contact the Department of Internal Affairs via their Online passport renewal process (you will need to indicate that your passport has been lost or stolen).

  

Mobile account and phone: A risk involving driver licences, passports and mobile phone numbers relates to unauthorised mobile phone porting. Whilst we do not believe this is likely in this matter, we have provided a link to an IDCARE Fact Sheet that explains what this means and what steps you can think about taking if you would like to mitigate such risks - keeping a mobile number secure. 

 

Protection Against Credit Risks (only if you have had confirmed that your driver licence or passport was exposed via the Generate portal)

 

A driver licence, passport or any other government issued ID are key documents scammers look for in order to obtain products and services on credit in another person’s name (such as credit cards, mobile phone accounts, and personal loans). To protect against credit risks, we recommend that you place a credit suppression on each of your credit reports and obtain a copy of your current reports. These are managed by three Credit Reporting Agencies (CRAs). Under Privacy laws applying for a credit ban or suppression, just like your credit report, is free and should not be charged. At present you will need to contact each of the three CRAs independently. The following are links to IDCARE's Fact Sheets on how to complete Credit suppression and Credit Report processes for each CRA: 

 

Steps to apply for Credit suppression

Steps to apply for Credit Reports

 

The New Zealand Office of the Privacy Commissioner also has additional information about your rights and credit reports and suppressions (see https://www.privacy.org.nz/further-resources/knowledge-base/view/193?t=13158_17950).

 
Protecting your existing accounts 

It's often easier for criminals to exploit existing accounts than to create new ones. We recommend contacting organisations that may rely upon the information and credentials about you that you have concerns about. When you engage them tell them that your personal and account information may be at risk and you would like to explore what additional controls they can put on your account. This really comes down to each organisation and common changes include updating passwords and PINs, introducing multi-factor authentication or secret questions. It's also important to confirm with each organisation the precise contact details and other existing information they have about you. Unfortunately, it is not uncommon for criminals when impersonating people to have organisations change contact details, such as telephone numbers, email addresses and postal addresses to ones they control.  We ask that you reflect on organisations that have relied on this type of information and engage them actively to discuss what additional controls they can put in place.

 

Proactive measures and what to look for 
  • Online security - ensure you are running the latest anti-virus program and that you have the latest operating system and application updates installed (across all devices).  
  • Password management - ensure after you are confident about the security of your device, change all relevant passwords and consider using a password manager. It’s important to ensure that you don't use the same password for multiple accounts. 
  • Safeguard your email account - after resetting your email password and implementing multi-factor authentication if you can (or if not already in place), check your email account forwarding rules. These are rules that can be created in your email settings that can result in particular or all emails received being forwarded to another email account. Unfortunately we see this occur where criminals have accessed email accounts and then arranged for emails containing specific information or words being forwarded to their account. Changing passwords, setting up multi-factor authentication and deleting the rule will often address this risk. As a general rule, try and avoid sending or retaining emails that contain credential information, such as driver licence, passport,taxation and account details (for you and for others). See more tips for keeping your email accounts secure at idcare.org 
  • Phishing emails, text messages or phone calls – be extra vigilant if you receive emails, text messages or phones calls purporting to be a financial institution, Government or other well-known brand. IDCARE has seen an escalation of text message-based phishing attempts over the last six months and for scammers that know information about you, such as the details exposed in this event, they can make these communications look really genuine. Don’t respond impulsively to these communications and know what “high-risk” requests or calls to action are. Most scammers want you to click on links, open attachments, or verbally demand personal information to “validate” your identity (such as driver licence details, account numbers, even multi-factor authentication codes sent to you by the legitimate organisation). Don’t feel pressured. Take their details, make your own enquiries and do some research on the correct way to engage the purported organisation. Good organisations don’t contact you and then ask you to provide these details.

  

What should you look out for 

common events that indicate that your personal or credential information is being exploited that are worth keeping an eye out for include: 

  • You find enquiries or credit checks on your credit reports that you did not initiate (eg. a credit check from a bank you have never banked with); 
  • Your mobile phone loses signal on the network by displaying "SOS"; 
  • You are locked out of internet banking or your email account; 
  • You receive anew account letter in the mail or your mail stops; 
  • You are contacted by a debt collector; 
  • You start seeing transactions or changes to your account balances that you cannot explain; 
  • You receive messages or emails from organisations asking you to complete surveys for leaving or from new organisations welcoming you to their service when you didn't apply; 
  • You start receiving phone calls from individuals complaining about your telephone number or posts on social media about things you have allegedly done when you haven't. 

Thanks again for reaching out. If you want to know more about protecting personal information there are a bunch of resources available as part of our community services provided in our Learning Centre. Please visit IDCARE.org

CONTACT US

IDCARE is here to provide you with specialist support and guidance when faced with a cyber and identity related issue. Contact one of our Identity & Cyber Security Case Managers to learn more about our Support Services and how we can help you.   
Call Centre Icon

call our AUSTRALIAn
NATIONAL CASE MANAGEMENT CENTRE

1800 595 160
‍Mon - Fri : 8am - 5pm AEST

Call Centre Icon

call our NEW ZEALAND
NATIONAL CASE MANAGEMENT CENTRE

0800 121 068
Mon - Fri: 10am - 7pm NZST