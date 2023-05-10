The Office of the Privacy Commissioner has started an investigation into the huge privacy breach at lender Latitude Financial.

It will conduct an investigation jointly with the Office of the Australian Information Commissioner (OAIC) into the privacy breach on March 12 which led to millions of customer records on Australians and New Zealanders being stolen by someone using a Latitude employee’s login details.

The theft included private information on more than a million New Zealanders, representing about 20% of the country’s entire population.

It was only at the start of this month that Latitude finished contacting all the New Zealanders whose data had been stolen.

In New Zealand, Latitude loaned money under the Gem by Latitude brand, and also provided personal loans to Kiwibank customers.

Deputy Privacy Commissioner Liz MacPherson said the investigation would be the first joint privacy investigation by Australia and New Zealand, which reflected the impact of the data breach on individuals in both nations.

“The breach, New Zealand’s largest, has seen millions of New Zealanders’ and Australians’ records exposed, including drivers’ licences, passports and sensitive financial data including personal income and expense information,” she said.

1 NEWS The incident also includes passports, the number of which is still unknown.

The investigation would focus on whether Latitude took reasonable steps to protect the personal information it held from misuse, interference, loss, unauthorised access, modification or disclosure.

There have been complaints that Latitude held on to people’s data long after they ceased to be borrowers, including in at least one case data that the former customer had asked to be deleted.

Latitude revealed some of the data stolen was collected as far back as 2005, and that seemed to include many former Latitude customers because the company only claimed on its website to have 2.8 million​ customer accounts.

MacPherson said the investigation would consider whether Latitude took appropriate steps to destroy or de-identify personal information that was no longer required.

She said the investigation would focus on how the hackers gained entry to Latitude Financial’s systems, how long they were inside before they were noticed, and what Latitude’s staff did when they discovered the attack.

“This is a significant attack with an appalling result,” MacPherson said.

“I want to thank the affected customers who have been in contact with us so far. Thank you for your patience and for sharing your experiences with us.

“There is a human cost to a breach. We have former customers of Latitude who took a loan to buy a fridge about 15 years ago and now part of their identity is being held for ransom. We will be asking the same questions these customers are.

“Could Latitude have done anything to prevent the hackers getting in and stealing information? What reasons does Latitude have for holding on to the personal information of past customers for such long periods?”

supplied Warning emails telling people their data has been stolen arrived in people’s inboxes.

She thanked Latitude for its “constructive engagement” with the Office of the Privacy Commissioner.

The investigation would establish whether Latitude’s actions or inaction enabled the cyber-criminals and contributed to the scope and impact of the breach, she said.

There had been many complaints to the Office of the Privacy Commissioner, and they would be individually assessed after the completion of the joint investigation.

“We are still encouraging affected customers to contact Latitude Financial and ID Care for support first,” she said.

“They have made commitments to assist impacted customers. If you complain to Latitude and you haven’t heard back from them within 30 working days, then we encourage affected customers to make a complaint to us,” she said.

Stuff Gem by Latitude was the main brand under which Australian lender Latitude made loans in New Zealand.

She called for victims of the breach to contact the Office of the Privacy Commissioner.

She warned former Latitude clients: “Be hyper vigilant. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source.”

BREACH BY NUMBERS