By Eric Frykberg
The New Zealand Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner (OAIC) have commenced a joint privacy investigation into the March Latitude Financial Services data breach.
This decision follows preliminary inquiries into the matter by both offices. This is the first joint privacy investigation by Australia and New Zealand.
The breach, New Zealand’s largest, has seen millions of New Zealanders’ and Australians’ records exposed, including drivers’ licenses, passports and sensitive financial data including personal income and expense information.
In announcing the investigation, the Office of the New Zealand Privacy Commissioner said the joint investigation did not preclude the OAIC and OPC reaching separate regulatory outcomes or decisions regarding the most appropriate regulatory response to the breach.
The OAIC and OPC’s investigation will focus on whether Latitude took reasonable steps to protect its information systems. The investigation will also consider whether Latitude took appropriate steps to destroy or de-identify personal information that was no longer required.
Latitude says it has been working closely with the OAIC and the OPC since the cyber-attack and "will continue to fully cooperate as they undertake their investigation."
Deputy Privacy Commissioner Liz MacPherson said the investigation would focus of how the hackers gained entry to Latitude's data and how long they were inside the system before they were discovered.
It would also look at the company's response to the hack.
"This was a significant attack with an appalling result," MacPherson said.
“There is a human cost to a breach. We have former customers of Latitude who took a loan to buy a fridge about 15 years ago and now part of their identity is being held for ransom.
"I also expect this breach has caused emotional stress for staff and the Board at Latitude Financial and I thank them for their constructive engagement with us to date.
"As this investigation is now active no further comments will be made on it until it is concluded."
In background notes to this inquiry, the OPC said Latitude Financial Services Ltd NZ provided a wide range of financial and some limited insurance services via Gem Finance and Gem Visa and several subsidiary groups.
Its management had estimated that 14 million NZ and Australian customer records have been exposed because of the March attack of which around 1.08 million are NZ customer records.
Those 1.08 million NZ customer records includes around 1.037 million driver license records, around 40,000 passport records and sensitive income and expense information which was submitted as part of a personal loan application process.
3 Comments
"The investigation will also consider whether Latitude took appropriate steps to destroy or de-identify personal information that was no longer required."
That's what I'll be interested in. I had details taken as I had a previous GEM card. So have since had to lock credit scores via Centrix who pass on the request to Illion and Equifax.
Meanwhile the hackers are one step ahead, ChatGPT is on the way
https://maritime-executive.com/editorials/hackers-could-use-chatgpt-to-…
14 million people affected by this.
Latitude need to be fined into oblivion as an example to other companies.
I used to maintain a software service that stored the same data they had stolen. There were so many precautions they could've taken that they obviously didn't.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.