NZ privacy watchdog investigates Latitude Financial breach

What are the objectives of the joint investigation?

The investigation will leverage the combined resources of the OPC and OAIC, though it won’t prevent the agencies from reaching separate regulatory outcomes or decisions about next steps. 

Deputy Privacy Commissioner Liz MacPherson highlighted several key areas of focus for the investigation, including: 

• how the hackers managed to breach Latitude Financial’s systems
• the duration of their unauthorised access before detection
• Latitude’s response upon discovering the attack
• the company’s data retention practices, and 
• the security and storage of the compromised information within its IT systems.

The investigation aims to address the fundamental question of whether Latitude could have taken stronger preventative measures to impede the hackers’ infiltration and data theft, as well as examining the reasons behind the retention of past customers’ personal information – some records span back to 2005. 

The OPC has said it will exercise its full information-gathering powers during the compliance investigation, including the ability to compel individuals to provide information and summon witnesses. Obtaining this information will be crucial in establishing the extent to which Latitude may or may not have contributed to the magnitude of the breach. These facts will play a crucial role in making decisions regarding individual complaints filed by impacted Latitude customers.

The company estimates that approximately 14 million customer records, including around 1.08 million from New Zealand, were compromised during the attack. Among these records, there are approximately 1.037 million driver’s license records, around 40,000 passport records and sensitive income and expense information, which were part of personal loan applications. These numbers are roughly 40 times larger than what was initially reported in the early days of the breach. 

Under the Privacy Act 2020, Latitude Financial bears the responsibility of ensuring the security of personal information. The OPC’s regulatory role is to assess whether reasonable measures were taken by Latitude Financial to protect the data, including appropriate data retention practices. 

A complete timeline of New Zealand’s largest data breach 

• 16 March 2023: the Australian financial service provider publicly disclosed a cyber-incident stemming from stolen employee credentials. On the same day, Latitude informed the OPC about the breach and the OPC started its preliminary enquiries into the breach, including working with the OAIC.
• 27 March: Latitude continued to disclose conclusions from its forensic investigations, eventually revealing that millions of records were exposed, rather than the hundreds of thousands that were reported in mid-March.
• 11 April: Latitude said that it would not pay the ransom levied by the alleged perpetrators of the breach. The company’s chief executive, Bob Belan, explained that there was no guarantee that the malicious actors would follow through on their promise to destroy the customer data. The New Zealand government discourages organisations from paying cyber ransoms and has said that its agencies will not pay similar ransoms. 
• 9 May: The OPC and OAIC announced the commencement of a joint compliance investigation. 

Help for Latitude’s NZ customers

“This breach has had a devastating impact, and we extend our gratitude to the affected customers who have reached out to us thus far. We appreciate their patience and willingness to share their experiences,” MacPherson said.

The Deputy Privacy Commissioner further emphasised the human cost associated with such breaches, recounting stories of former Latitude customers whose identities are now held ransom, having taken loans for everyday purchases years ago. 

While affected customers are encouraged to initially seek support from Latitude Financial and ID Care, MacPherson also urged them to reach out to the OPC if they haven’t received a response within 30 working days. As of May 2023, the OPC website prominently displays a message directing Latitude customers toward an information page for further assistance. 

New Zealand authorities have issued a cautionary note to anyone who comes across the Latitude Financial data, urging them not to access, spread or share it. Instead, the office has said that any encounters with the data should be reported to the New Zealand police or OPC. They’ve also urged Kiwis to maintain a heightened sense of vigilance and remain alert to any suspicious activity. This includes being cautious of unsolicited texts, emails or any unusual occurrences related to their accounts or records. 

While it’s critical to be vigilant around communications from unknown sources, it’s equally important to remember that fraudsters are sometimes pretty good at impersonating contacts you do know and trust. And that’s especially the case if they can get their hands on stolen data from breaches like Latitude’s. 

Further, would-be fraudsters often target organisations with tactics that are tailored to circumvent your security measures and financial controls. Since the goal is usually to steal money, AP staff tend to end up as the final defence against these scam attempts – to protect your team and your business, make sure you know the ways to minimise fraud risks.