Cyber Brief for CFOs: November / December 2024
All the news, tactics and scams for finance leaders to know for November / December 2024.
In a first-ever team-up, the New Zealand Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner (OAIC) officially started a joint privacy investigation into Latitude Financial’s March data breach.
Their announcement followed preliminary inquiries conducted by both offices. It’s the first time we’ve seen this type of trans-Tasman collaboration, underscoring the scale and significance of the incident – New Zealand’s largest data breach yet.
The breach exposed millions of records belonging to New Zealanders and Australians. Worryingly, this encompassed sensitive information like driver’s licenses, passports and highly personal financial data including personal income and expense details – in other words, it’s the type of information that makes it easier for fraudsters to pull off the type of cyber-crimes that have been on the rise in New Zealand.
The investigation will leverage the combined resources of the OPC and OAIC, though it won’t prevent the agencies from reaching separate regulatory outcomes or decisions about next steps.
Deputy Privacy Commissioner Liz MacPherson highlighted several key areas of focus for the investigation, including:
The investigation aims to address the fundamental question of whether Latitude could have taken stronger preventative measures to impede the hackers’ infiltration and data theft, as well as examining the reasons behind the retention of past customers’ personal information – some records span back to 2005.
The OPC has said it will exercise its full information-gathering powers during the compliance investigation, including the ability to compel individuals to provide information and summon witnesses. Obtaining this information will be crucial in establishing the extent to which Latitude may or may not have contributed to the magnitude of the breach. These facts will play a crucial role in making decisions regarding individual complaints filed by impacted Latitude customers.
The company estimates that approximately 14 million customer records, including around 1.08 million from New Zealand, were compromised during the attack. Among these records, there are approximately 1.037 million driver’s license records, around 40,000 passport records and sensitive income and expense information, which were part of personal loan applications. These numbers are roughly 40 times larger than what was initially reported in the early days of the breach.
Under the Privacy Act 2020, Latitude Financial bears the responsibility of ensuring the security of personal information. The OPC’s regulatory role is to assess whether reasonable measures were taken by Latitude Financial to protect the data, including appropriate data retention practices.
“This breach has had a devastating impact, and we extend our gratitude to the affected customers who have reached out to us thus far. We appreciate their patience and willingness to share their experiences,” MacPherson said.
The Deputy Privacy Commissioner further emphasised the human cost associated with such breaches, recounting stories of former Latitude customers whose identities are now held ransom, having taken loans for everyday purchases years ago.
While affected customers are encouraged to initially seek support from Latitude Financial and ID Care, MacPherson also urged them to reach out to the OPC if they haven’t received a response within 30 working days. As of May 2023, the OPC website prominently displays a message directing Latitude customers toward an information page for further assistance.
New Zealand authorities have issued a cautionary note to anyone who comes across the Latitude Financial data, urging them not to access, spread or share it. Instead, the office has said that any encounters with the data should be reported to the New Zealand police or OPC. They’ve also urged Kiwis to maintain a heightened sense of vigilance and remain alert to any suspicious activity. This includes being cautious of unsolicited texts, emails or any unusual occurrences related to their accounts or records.
While it’s critical to be vigilant around communications from unknown sources, it’s equally important to remember that fraudsters are sometimes pretty good at impersonating contacts you do know and trust. And that’s especially the case if they can get their hands on stolen data from breaches like Latitude’s.
Further, would-be fraudsters often target organisations with tactics that are tailored to circumvent your security measures and financial controls. Since the goal is usually to steal money, AP staff tend to end up as the final defence against these scam attempts – to protect your team and your business, make sure you know the ways to minimise fraud risks.
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
The finance industry is undergoing a major transformation thanks to the rapid adoption of AI technology. Much of this trend has been …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.