See if your information has been exposed in a data breach with our latest free tool Check Now

26 Eye-opening identity theft statistics in New Zealand

Niek has worked at Eftsure for several years and has developed a clear understanding of the cyber threat landscape and the controls Australian businesses put in place to combat these threats.

Data privacy holds unprecedented significance for consumers and organisations in 2023. Cyber-criminals persistently seek innovative ways to breach sensitive information like credit card information or driver’s licenses.

What does this mean for finance leaders? Financial leaders need to stay vigilant around cyber-risks and adopt proactive measures that safeguard their organisations and consumers alike. By embracing cutting-edge technologies like machine learning and AI, financial leaders can fortify their defences.

One of the major cornerstones of cybersecurity reports used in this statistics article is the 2023 CERT NZ Data Landscape Report. The national computer emergency response team (CERT) in New Zealand provides meaningful insights and trends of identity theft that affect thousands of Kiwis each year.

In this article, we delve into crucial identity theft statistics in New Zealand, shedding light on the common techniques used and what organisations can do to combat them.

Author’s Top Picks

  • Identity theft has affected as many as 133,000 New Zealanders annually, costing the economy as much as $209 million every year.
  • 84% of organisations fell victim to an identity-related breach in the past year.
  • The most common compromised information was passports at 21.2%, followed by driver's licenses at 19.7%.
  • Organisations suffered direct financial losses totalling $5.8 million in Q1 2023, a significant increase (66.3%) compared to last quarter.

Identity theft statistics

1. One in five or 21% of New Zealanders surveyed were reported to have experienced identity theft.

Of those who experienced identity theft, the report dives into how the respondents first discovered the theft. For example, 18% of respondents discovered their identities were stolen via monitoring their financial accounts. In addition, more than one (36%) in three were notified about their identity theft by an external source.

2. Identity theft has affected as many as 133,000 New Zealanders annually, costing the economy as much as $209 million every year.

Identity theft statistics reveal that cyber-criminals often engage in identity theft for financial gain. Once they gain access to an organisation or individual’s bank account, their initial step is usually to make fraudulent purchases or apply for a loan. In more severe cases, these cyber-criminals may even resort to attempted blackmail.

Once an identity vulnerability is exploited, threat actors can move laterally through systems and networks, amassing intelligence, distributing malicious payloads and exfiltrating data. The longer any malicious actor lies undetected the greater their opportunity to traverse through identities.

4. Of the 155 files examined, information on the use of false identities was available in 152 files. 36% involved the misuse of identity in some way.

The Australian Institute of Criminology sheds light that fraud often involves the misrepresentation of one’s identity without being caught out by the authorities or creditors. They further suggest that there are three categories of identity-related fraud. For example, fictitious identities, stolen identities or changed identities (a declaration of change of name). The figure used to demonstrate which type was commonly used shows that the names changed by deed poll were the most common type with 144 files recorded.

5. 22% of identity scams are carried out via phones.

The primary reason why cyber-criminals clone an individual’s mobile number is to provide them greater access to personal information and sensitive data. By cloning a mobile phone, they can essentially replicate the victim’s device. This includes contacts, messages, call logs and at times even authentication credentials.

6. The most common compromised information was passports at 21.2%, followed by driver's licenses at 19.7%.

One key takeaway is about 80% of identity scams are detected by the victims themselves. However, for organisations, it can take twice as long to detect a breach. According to the newsroom, New Zealand organisations are not required to inform their customers if their information has been compromised or breached.

7. 32% of New Zealand IT decision-makers say they are concerned about phishing as a risk to their organisation.

In New Zealand, privacy and data retention has merged as a major issue with a recent high-profile data breach that saw over one million NZ records being obtained by cyber-criminals. The 2023 Phishing reports further demonstrates that the top cybersecurity incident that NZ organisations faced were phishing and credential stuffing. A 16% increase from the previous year.

8. Among the top cybersecurity incidents, scams and fraud increased 15% from 2021 and unauthorised access had increased 23% from 2021.

One of the key takeaways for financial leaders is to work with IT leaders in order to do the following. Educate staff on basic cyber hygiene, providing consistent guidance and support as well as implementing ongoing and engaging security awareness training. By staying vigilant and implementing robust security controls, financial leaders can minimise the risk of cyber-crime.

9. Phishing and credential harvesting (46.8%) continue to be the largest category of incidents for organisations in Q1 2023 reported to CERT NZ.

Cyber-criminals use various phishing and credential harvesting techniques to commit identity theft. Their attacks may include email phishing, spear phishing, whaling or business email compromise (BEC), vishing, smishing and more. One of their most notable attacks is the BEC attack. This attack involves targeting an organisation via email in an attempt to obtain access to the organisation’s bank account to steal funds.

10. CERT NZ received 14 vulnerability reports in Q1 2023 that involved servers, websites or web servers, networking, applications or software and telecommunications device.

If cyber-criminals fail at phishing, then they may target other company vulnerabilities. Their likelihood of success increases significantly when they target more than one company vulnerability like servers, applications or networks. When attackers shift their focus to exploit technical vulnerabilities, the level of sophistication and potential impact of the attack can be higher.

11. 90% of New Zealanders believe it is not easy to protect their information online.

Digital Identity New Zealand (DINZ), a not-for-profit member association of the New Zealand Tech Alliance, presents the latest research findings. According to the 2023 digital identity report, a significant number of Kiwis express concerns about the challenges of safeguarding their information online. An overwhelming nine out of ten New Zealanders are keen on having more control over their digital identity, finding it an appealing prospect. Organisations that can deliver on this front will be better positioned to fulfil their customers’ desires.

Impact and financial loss

12. Organisations suffered direct financial losses totalling $5.8 million in Q1 2023, a significant increase (66.3%) compared to last quarter.

Organisations have been severely impacted, with cyber-crime inflicting substantial financial losses. These losses, however, do not even account for the additional indirect damages, including data loss, reputational harm, and operational expenses. As we closely monitor the prevailing trends, it becomes evident that the financial losses from cyber-crime continue to escalate each year.

13. 95% of identity theft victims have experienced major impacts, such as freezing their credit cards (47%), time spent resolving issues (33%) or having funds stolen (29%).

As a financial leader, if you suspect that your organisation has fallen victim to identity fraud, swift action is imperative. First and foremost, isolate and secure the organisation’s bank accounts without delay. Additionally, if the identity theft involved targeting a specific user account, promptly get in touch with your bank or financial institution to isolate the affected bank account.

14. The largest financial loss sustained was in New Zealand, New South Wales and Queensland, involving losses in excess of $20 million.

New Zealand and Australia stand out as countries that have experienced significant financial losses from serious fraud. Cyber-criminals often target nations that have large digital infrastructures and are heavily reliant on technology. Such countries become enticing targets due to the abundance of opportunities they present for cyber-criminals to exploit vulnerabilities. Moreover, the lure of substantial financial rewards in the event of a successful attack further amplifies their desirability as targets for these criminals.

15. On average, it takes around 18 days to find out that your identity has been stolen.

According to David Lacey, founder and managing director of IDCARE, the average victim of identity theft in New Zealand suffered a financial loss of $12,213. Cyber-criminals predominantly targeted identity documents, such as passports and driver’s licenses. Shockingly, only about 80% of identity scams were detected by the victims themselves. When it comes to organisations, the detection process can be even slower, taking up to twice as long to identify and address identity theft incidents.

16. New Zealand banks report customers lost a combined total of NZD $183.5 million to scams in 2022.

In addition to the statistics, 23% of the 350 recorded incidents showed indications of a connection to criminal or financially motivated actors. This included scams like phishing and credential stuffing, unauthorised access and malware. Jacqueline Jayne, the security awareness advocate for KnowBe4 points out that organisations ought to reduce their single biggest cyber risk: the human element.

17. Out of the 586 incidents, 15 incidents reported by organisations indicated that they suffered reputational loss, 67 incidents towards data loss and 15 towards operational impacts.

In reference to the CERT NZ 2023 report, organisations faced various types of losses due to cyber-crime, including direct technical damages, such as compromised emails, disrupted phone systems, and compromised websites. Additionally, they experienced indirect losses, such as higher insurance premiums and reduced staff morale, which can have long-term impacts on the organization’s well-being. The financial burden of cyber-crime proves to be overwhelming for any organisation.

18. Of the 11 reports about incidents affecting organisations, the finance and insurance sector accounted for 29 reports (26.1%) in 2022.

Other sectors involved that were affected were the technology sector, education and training, manufacturing, construction and many others. Figure 11 demonstrates the breakdown by sector and incident category. One highlight is that the media and telecommunications sector reported that over 50% of their incidents were related to phishing and credential harvesting. These techniques are used to steal organisation login credentials such as usernames and passwords, in order to commit identity theft.

Best practices for protecting your identity

19. According to a survey, the most common practice in protecting identities was enabling multi-factor authentication (34%).

Mark Gorrie, Senior Director of Norton LifeLock says “It’s so important to maintain good digital hygiene – keep your devices updated with the latest operating system, use strong passwords combined with multifactor authentication”. MFA is not only a great tool for individuals but also for corporate accounts like email or software.

20. 33% of businesses feel equipped to protect their customer’s personal data, while just 25% find this easy to do.

According to identity theft statistics, the majority of businesses are either not prepared to protect their customer data or unsure. In addition, 37% of organisations believe that erasing personal data that is no longer needed find a great measure to protect their consumer’s data. Followed by 36% of organisations restricting access to personal data within the business.

21. Four in ten New Zealanders affected by a data breach said they had contacted OPC.

Whether a privacy breach is caused by accident or malicious intent, the impact on those affected can be devastating. Organisations no matter the size, need to ensure that the consumer information should be gathered appropriated and protected from unauthorised access.

22. More than three-quarters (79%) of organisations are having more than one cloud provider.

Storing information in a cloud environment can be considered as best practice for combating identity theft. Some cloud service providers have enhanced security, centralised security management and data backups. While cloud providers play a significant role in security, organisations must actively implement cybersecurity controls.

23. 51% of organisations are increasing security investments after a breach.

IBM Security offers valuable recommendations to organizations for effectively reducing the cost of a data breach. Firstly, they advocate integrating security measures at every stage of software development and deployment. This proactive approach ensures that potential vulnerabilities are addressed early in the process, minimising the risk of data breaches. Secondly, organisations are encouraged to modernize data protection practices across the hybrid cloud environment. Leveraging advanced security AI and automation tools can significantly enhance threat detection and response capabilities. Lastly, to bolster resilience, organisations should gain a comprehensive understanding of their attack surface and regularly practice Incident Response (IR) drills.

24. Only 28% of organisations extensively used security AI and automation tools in their cybersecurity processes.

On the flip side, organisations that do not utilize security AI or automation tools find themselves at a disadvantage. Surprisingly, nearly 4 in 10 rely solely on manual controls in their security operations, leaving a significant opportunity for cyber-criminals to exploit vulnerabilities. Relying solely on manual controls is insufficient to ensure comprehensive protection for an organisation. In today’s dynamic and sophisticated cyber-threat landscape, security AI and automation play a crucial role in detecting and responding to threats swiftly and effectively.

25. On average, only 45% of cloud data was currently encrypted globally.

Despite the reported increase in sensitive data being stored in the cloud, a concerning finding from the study revealed that New Zealand businesses are not fully leveraging encryption to protect this data adequately. Astonishingly, less than 17% of local IT professionals reported that more than 60% of their sensitive data in the cloud was encrypted. However, there is a glimmer of hope as NZ organisations are gradually recognising the advantages of cloud security, leading to a steady rise in cloud adoption year after year.

26. 73% of Kiwi IT decision-makers say they plan on investing in cybersecurity in 2023. Of those who plan on investing, 58% are likely to be investing in cybersecurity software solutions, followed by cybersecurity awareness training (55%).

New Zealand businesses must prioritise investing in comprehensive security controls that are integrated into their software, policies, and staff training. By effectively managing these three critical aspects of the business, financial leaders gain greater control over vulnerabilities and exposure to cyber threats. The key to success lies in constantly evolving security controls, staying one step ahead of the escalating threat of identity theft and other cyber-crimes. With a proactive and adaptive approach to cybersecurity, businesses can significantly enhance their resilience and protect their valuable assets from malicious actors and human error.


Identity theft is the crime of illegally stealing the personal and financial information of another person with the intent of assuming the victim’s identity. Identity fraud is the illegal use of that stolen information.

Identity theft occurs from many things like breaches of security, malware, hacking, and phishing. There is an abundance of information on the internet and information is generally free, so your identity can be stolen.

Anyone can be a victim of identity theft from entities in the business, individuals, and the government. Nonetheless, in reports, the elderly are more likely to be targeted by attackers, as they are also more likely to have more beneficial information for these attackers.

Not many businesses are fortunate enough to recover financially from identity theft; some are never able to recover at all. There are steps we can take to protect ourselves from fraudsters, such as monitoring our credit card and bank statements, verifying communications, and making sure we use the correct website addresses.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.