Overseas Hacker Suspected of Stealing Personal Details from Lending Firm’s Systems
New Zealand peer-to-peer lending platform Squirrel has suffered a significant data breach, compromising the sensitive personal information of up to 600 customers.
According to Squirrel COO Dave Tyrer, who spoke to the NZ Herald, the company first detected an issue with its systems on July 23rd. It took until the following day for an investigation to confirm that customer data had indeed been accessed without authorization.
The breached information included driver’s license and passport numbers of impacted individuals. Thankfully, no pictures from the IDs or financial details like banking information were part of the data stolen.
Tyrer stated Squirrel believes with “99.9% certainty” that an overseas hacker or group carried out the cyberattack. No ransom demands were received, suggesting the motive was to steal identity data rather than encrypt systems for payment.
The breach occurred on a third-party verification system used by Squirrel for anti-money laundering and know-your-customer checks. However, Tyrer ensured no other clients of the vendor were compromised. Squirrel takes full responsibility for protecting customer information.
Customers signed up between June 20th and July 20th were among those affected, most of whom registered to become Squirrel investors. The company notified the Office of the Privacy Commissioner and is reimbursing replacement costs for IDs for any customer that requests it.
Though Tyrer could not be certain of the hacker’s intentions, he noted identity data on its own holds value, and even more so if combined with identification photos, which were not part of the breach.
Squirrel has since taken steps to address the method used in the attack and reduce future risks. However, the incident serves as a warning for all firms to bolster cybersecurity defenses against sophisticated actors targeting lucrative personal datasets.
Customer Anger and Concerns Over Inadequate Compensation After Squirrel Data Breach
The data breach understandably upset many Squirrel customers whose private details were compromised without consent. One affected individual shared his dissatisfaction with the proposed $27 reimbursement for replacing a driver’s license with the Herald.
“Squirrel got hacked and my details stolen. They offered me $27 compensation to replace my driver’s licence. I believe this is unacceptable.”
Considering the time spent replacing IDs, potential risks of identity fraud, and right to privacy, some feel this amount falls short of adequately accounting for the damage done. With no way to guarantee stolen data won’t be misused, complete assurance is difficult for victims.
While Squirrel was transparent regarding the breach and is accepting responsibility, the incident calls into question security practices and safeguarding of valuable customer information. Systems held this sensitive data deserve robust protections to prevent opportunistic hackers from slipping in.
As digital services increasingly store vast dossiers of personal records, data breaches will remain an ongoing threat. All organizations must devote sufficient attention and resources to information security best practices in order to maintain public trust.