Mortgage broker Squirrel and up to 600 customers have been the target of a cyber attack. 

Driver licence numbers and passport numbers were among material stolen in the breach, the company said. 

“We found out there was an issue on Sunday morning,” Squirrel chief operating officer Dave Tyrer told the Herald. 

He said it took until yesterday to confirm what, if any, personal data had been breached, and alert customers. 

“It’s not always easy to get the information you need, when you need it, in these situations.” 

Tyrer said based on investigations so far, Squirrel was “99.9%” sure an overseas actor or actors carried out the breach. 

Squirrel received no ransom demand or other contact from the attacker or attackers, he said. 

“They can’t hold us to ransom or anything like that. None of Squirrel’s direct systems are compromised.” 

He said the breach happened on a third-party system used for anti-money laundering and know your customer (KYC) verification. 

But Squirrel took responsibility and that third party provider’s other customers were not compromised, Tyrer said. 

• Health insurer Accuro says 30,000 customers’ data potentially exposed in hack
• Privacy Commission tells businesses to 'wake up' to risks of cyberattacks

“To be clear, the breach is on Squirrel and not on them as a provider.” 

He said Squirrel had taken steps to close the weakness the hacker or hackers exploited and reduce the chances of a similar incident happening again. 

The Office of the Privacy Commissioner had been told about the data breach, he said. 

“We’re 100% reimbursing any customer that wishes to replace their driver’s licence or passport.” 

Photos on the licences and passports had not been stolen or compromised, he said. 

The hack might remind some people of the Latitude-Genoapay data breach but Tyrer said the Squirrel breach, though serious, was on a smaller scale and less severe. 

It impacted customers who signed up with Squirrel between June 20 and July 20. 

“The majority of them were registered to become an investor with Squirrel,” Tyrer said. 

He said he could not be certain what the motivation for the attack was. 

“Identity data can be valuable [but] typically it’s only valuable if you also have the image related to the customers.” 

The company said no other customers were impacted and no customers had user names, passwords, or bank account details compromised. 

Tyrer said various alerts on Sunday notified Squirrel of a potential problem but for security reasons he did not want to elaborate on what those alerts were. 

He said he believed Squirrel’s response time from the first alert to breach confirmation was in line with how many other companies would or could respond. 

He said affected customers could 0800 212 230 or email [email protected]. 

Squirrel provides peer-to-peer lending and investing as well as mortgage brokering services.