Generate Kiwisaver recently had a data breach with 26,000 of their members affected. On the 12th of February, I received an email from Generate Investment Management Ltd, informing me of the data breach incident that had occurred within the organisation. The email goes on to state “personal information was accessed, yours was not”. I am a new customer to Generate Kiwisaver (only 2 months old), but I shudder at the idea that it could have been my personal data that was compromised. When I signed the terms and agreement, I wrote on the part where they state that they keep they take care of their clients' data and ensure confidentiality “how do you protect my data?” To this day I have not received a reply. As a consumer myself it is critical to understand how organisations manage my data and how they keep it safe. With the world becoming increasingly digitalised and where new threats are rapidly emerging, how do businesses keep their clients' data safe? is becoming a crucial question.
I work in an organisation that helps other businesses build and improve cyber resiliency. I know that the process of improving cyber resiliency can be challenging and that managing cyber risks requires continuous improvement, executive and board support and a culture of cyber responsibility.
This blog is about the learnings that can be taken from the Generate data breach.
Generate has currently 70,000 customers in their database that was breached, of which 26,000 members were affected by this breach. Around 10,000 of those affected had their passports and drivers license information stolen. The issue around this is the individuals that have been affected could have their identity stolen. Generate has now agreed to pay for replacement documents for those individuals whose drivers license and passport data had been breached, costing Generate around $2 million. Did they need to pay this? The ethical expectation is now that the businesses need to pay for client’s identity protection, so Generate should not only be paying for the replacement of their clients identity but also paying for identity protection programs to ensure that the impact on their clients is minimized.
Some of the steps that have been taken by Generate are proactive, including informing the Financial Markets Authority, Inland Revenue, the New Zealand Police, and the Privacy Commissioner. They have stated that they will be currently working on strengthening their security and implementing ongoing programmes of testing.
However, the problem is this: it’s not a cybersecurity issue, it’s an organisational management issue. As we can see from the Generate messaging, they talk about technical cybersecurity controls. But what they aren’t talking about is that it is a whole of business issue, and that the business as a whole has failed to protect its customer personal information.
This data protection is an executive responsibly with Board accountability. It has cost Generate $2M to be ethical, on top of the minor remediation costs, but the likely major costs are to brand identity and reputation . I wonder what churn Generate is going to experience, and it is likely that the Generate customers going to end up paying for that $2M. One of the clients whose information has been breached is considering legal action in respect of stress and risk of identity theft.
When are Directors and C-suite going to recognise that the damage to their brand is to the intangible assets, whilst direct costs are now dramatically escalating? When are directors and executives going to realise that organisations need to own and build a cyber resilience culture that they lead from the top? These attacks are not going to stop, it’s not a matter of if, but when.
How do you build up cyber resilience?
The first step is to get a risk assessment, to identify within your organisation what the risks are. From there, build a cyber resilience programme, that continuously improves your organisation’s resilience to cyber risks, including implementing robust processes to manage a breach. We at Cybercraft, can assist you in becoming cyber resilient by helping you get that independent risk assessment done. Don’t let your business become like Generate, be proactive with your organisation’s journey to become cyber resilient. Otherwise you will have customers like myself who are annoyed and frustrated with how the data has been protected – and become ex-customers.