You have been directed here because you selected KiwiSaver on our Get Help Form. You will receive an email confirmation and case number for your reference.
If you haven’t heard of IDCARE, we are a national community support organisation that has been engaged by KiwiSaver to provide independent support and advice to individuals impacted by this incident. Below is a list of recommendations that make up our Response Plan for you based on our knowledge of the KiwiSaver incident. Note that you do not need to do or follow any of the advice. It is advice we offer as a specialist capability for the community that deals with identity theft, cybercrime and scams every day. It is advice that answers the question (1) what are the risks to my identity from this breach? and (ii) what can I do proactively beyond what KiwiSaver has done to protect against these risks.
Note that we have not had any reports of any of these risks materialising. That doesn’t mean it hasn’t happened, but IDCARE receives about 50,000 engagements a year from across both sides of the Tasman so we are in a pretty good position to pick up if things were to happen.
The response advice is offered for you to consider if you have tried to engage IDCARE out of hours or you want to look at taking some proactive steps to protect your identity information.
Please note our services are free and confidential to the New Zealand community and we only need to know how to contact you (email or phone) and your first name (or whatever name you would like to give).
KiwiSaver have advised IDCARE that they have created an online portal for customers impacted by this incident for you to confirm what information has been exposed in this incident. The portal is accessed via logging into your online account. If you have not accessed their portal we would strongly encourage you to do so. If you have any questions about the portal or difficulty accessing it please call KiwiSaver on 0800 086 086.
Inland Revenue, IRD: there is no need for you to contact IRD in relation to this matter. KiwiSaver has an arrangement in place with IRD where they have already proactively implemented additional security controls in relation to KiwiSaver customers. If you would prefer to speak with IRD directly, they may be called on 0800 775 247.
Bank Statement/details: Whilst Kiwisaver have put additional controls on their customers’ accounts, many of us have accounts with other financial institutions. We recommend you reach into any other financial institution you have a relationship with and talk to them about what has occurred and whether they can offer additional security measures. Updating your passwords and exploring multi-factor authentication (such as security codes in addition to username and password) is always good practice to protect online accounts.
Onlyif you have checked the KiwiSaver portal and you have seen that your licence orpassport has been exposed do we recommend you consider the following proactivesteps:
New Zealand Driver Licence (DL): As only your details have been compromised, and you still have the physical document, it does not affect your ability to use this document with regards to transport matters. However, this information can be used to access products and services from other organisations, including opening new lines of credit in your name. To protect against this there are measures you can take in relation to protecting your credit (see below), as well as replacing your driver licence. If you replace your licence, you will be issued a new 3-digit version number which will help to reduce the risk of fraud. You can do this by calling 0800 822 422 or registering through Real Me and cancelling your current licence and requesting a new one. Note that there is a fee associated with changing your licence number.
Passport: The compromise of passport information does not impact or preclude you from travelling. However,like a driver licence, this information may be used to access products and services from other organisations, including opening new lines of credit in your name. If you replace your passport it is likely to reduce any risks relating to the former passport’s misuse. For New Zealand passport holders,please contact the Department of Internal Affairs via their Online passport renewal process (you will need to indicate that your passport has been lost or stolen).
Mobile account and phone: A risk involving driver licences, passports and mobile phone numbers relates to unauthorised mobile phone porting. Whilst we do not believe this is likely in this matter, we have provided a link to an IDCARE Fact Sheet that explains what this means and what steps you can think about taking if you would like to mitigate such risks - keeping a mobile number secure.
Protection Against Credit Risks (only if you have had confirmed that your driver licence or passport was exposed via the KiwiSaver portal)
A driver licence, passport or any other government issued ID are key documents scammers look for in order to obtain products and services on credit in another person’s name (such as credit cards, mobile phone accounts, and personal loans). To protect against credit risks, we recommend that you place a credit suppression on each of your credit reports and obtain a copy of your current reports. These are managed by three Credit Reporting Agencies (CRAs). Under Privacy laws applying for a credit ban or suppression, just like your credit report, is free and should not be charged. At present you will need to contact each of the three CRAs independently. The following are links to IDCARE's Fact Sheets on how to complete Credit suppression and Credit Report processes for each CRA:
The New Zealand Office of the Privacy Commissioner also has additional information about your rights and credit reports and suppressions (see https://www.privacy.org.nz/further-resources/knowledge-base/view/193?t=13158_17950).
It's often easier for criminals to exploit existing accounts than to create new ones. We recommend contacting organisations that may rely upon the information and credentials about you that you have concerns about. When you engage them tell them that your personal and account information may be at risk and you would like to explore what additional controls they can put on your account. This really comes down to each organisation and common changes include updating passwords and PINs, introducing multi-factor authentication or secret questions. It's also important to confirm with each organisation the precise contact details and other existing information they have about you. Unfortunately, it is not uncommon for criminals when impersonating people to have organisations change contact details, such as telephone numbers, email addresses and postal addresses to ones they control. We ask that you reflect on organisations that have relied on this type of information and engage them actively to discuss what additional controls they can put in place.
common events that indicate that your personal or credential information is being exploited that are worth keeping an eye out for include:
Thanks again for reaching out. If you want to know more about protecting personal information there are a bunch of resources available as part of our community services provided in our Learning Centre. Please visit IDCARE.org