New Zealand-Australia Investigation Into Latitude Breach Begins
The New Zealand Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner (OAIC) have commenced a joint privacy investigation into the 12 March Latitude Financial data breach.
This decision follows preliminary inquiries into the matter by both offices.
This is the first joint privacy investigation by Australia and New Zealand and reflects the impact of the data breach on individuals in both nations.
The breach, New Zealand’s largest, has seen millions of New Zealanders’ and Australians’ records exposed, including drivers’ licenses, passports and sensitive financial data including personal income and expense information.
The joint investigation will allow the use of both agencies’ resources. The structure of the investigation does not preclude the OAIC and OPC reaching separate regulatory outcomes or decisions regarding the most appropriate regulatory response to a breach.
The OAIC and OPC’s investigation will focus on whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.
The investigation will also consider whether Latitude took appropriate steps to destroy or de-identify personal information that was no longer required.
Deputy Privacy Commissioner Liz MacPherson says the investigation will focus on
- how the hackers’ gained entry to Latitude Financials’ systems
- how long they were inside before they were noticed
- what Latitude’s staff did when they discovered the attack
- the retention of information held by Latitude, and
- the security and storage of that information within its IT systems.
"This is a significant attack with an appalling result. I want to thank the affected customers who have been in contact with us so far. Thank you for your patience and for sharing your experiences with us, says Liz MacPherson.
"There is a human cost to a breach. We have former customers of Latitude who took a loan to buy a fridge about 15 years ago and now part of their identity is being held for ransom. We will be asking the same questions these customers are. Could Latitude have done anything to prevent the hackers getting in and stealing information? What reasons does Latitude have for holding onto the personal information of past customers for such long periods?"
"I also expect this breach has caused emotional stress for staff and the Board at Latitude Financial and I thank them for their constructive engagement with us to date," says Liz.
A compliance investigation enables the Office of the Privacy Commissioner to use its full information gathering powers including obliging people to provide information and summoning witnesses.
"This information will help us to establish whether Latitude’s actions or inaction enabled the cyber-criminals and contributed to the scope and impact of the breach. Establishing these facts will be critical to our ability to make decisions about the individual complaints that are made to us by impacted Latitude customers", says Liz.
"We are still encouraging affected customers to contact Latitude Financial and ID Care for support first. They have made commitments to assist impacted customers. If you complain to Latitude and you haven’t heard back from them within 30 working days, then we encourage affected customers to make a complaint to us.
Liz says, "we won’t start assessing individual complaints until we have completed our compliance investigation, but we want to get a sense of the number of people affected and the issues people are facing.
"We are expecting this investigation to be wide-ranging and we need to be able to assign investigators accordingly and plan how to meet the needs of affected customers. We also want to know the types of impact and harm people have suffered because of this breach (e.g. examples of harm like identity theft, credit difficulties, undue stress etc).
"We have set up an email for affected customers to contact our team easily. Can you please contact us at latitude.breach@privacy.org.nz "
The Office of the Privacy Commissioner has been working with the Office of the Australian Information Commissioner (OAIC) throughout the early stages and will continue to do so during the compliance investigation.
"As this investigation is now active no further comments will be made on it until it is concluded. When the OPC finishes its investigation, we will give an update so please keep in contact with us."
Anyone coming across the Latitude Financial data should take care.
"Do not access it. Do not spread it. Do not share it. Report it to the New Zealand Police. Report it to us or you can report it to CERT. No one should contribute to its dissemination and increase the anxiety and distress of the affected individuals."
Individuals should be on the lookout for anything out of the ordinary.
"Be hyper vigilant. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source."
If people would like to know more about some steps, they could take to protect themselves from privacy breaches they could follow this link: https://privacy.org.nz/resources-2/protecting-yourself-from-a-privacy-breach/
Timeline:
- Latitude Financial informs the OPC it was breached on March 16.
- The Office of the Privacy Commissioner starts its preliminary enquiries into the breach including working with the OAIC.
- The NZ Office of the Privacy Commissioner and the Australian Office of the Information Commissioner commence a joint compliance investigation into Latitude on 9 May.
Facts:
- Latitude Financial Services Limited NZ provides a wide range of financial and (limited) insurance services to customers across New Zealand via Gem Finance and Gem Visa and several subsidiary groups.
- Latitude Financial Services Limited NZ is a subsidiary of Latitude Holdings based in Australia. As such we will continue to work closely with the OAIC as our investigation progresses.
- Latitude Financial have estimated that 14 million NZ and Australian customer records have been exposed because of the 12 March attack of which around 1.08 million are NZ customer records.
- The 1.08 million NZ customer records includes around 1.037 million driver license records, around 40,000 passport records and sensitive income and expense information. The income and expenditure information was submitted as part of a personal loan application process.
- The Privacy Act 2020 places responsibility on Latitude for keeping personal information data secure.
- The OPC regulatory role is to understand whether reasonable steps to keep personal data secure have been followed, including appropriate data retention practices and to monitor the Latitude response to the cyber-attack breach.
The difference between preliminary inquiries, a compliance investigation and a complaint investigation
- Preliminary inquiries allow us to ask questions and assess the situation. Agencies provide information voluntarily.
- A compliance investigation is undertaken under Part 6 of the Privacy Act 2020. It is designed to allow the Privacy Commissioner to hear or obtain information from any person he considers may have relevant information to enable him to decide whether to issue a compliance notice to an agency for breaching the Privacy Act. A compliance notice requires an organisation to do something or to stop doing something, in order to comply with the Privacy Act. A compliance investigation can be used to inform the investigation of individual complaints where there are multiple complaints of the same nature.
- A complaint investigation is undertaken under Part 5 of the Privacy Act 2020. These investigations are focussed on the harm caused to the individual by a privacy breach and seek to resolve the complaint including through compensation or redress.