Latitude Financial Undergoes Formal Investigation

The New Zealand Privacy Commissioner has launched a formal investigation into the data breach at Latitude in conjunction with the Australian Information Commissioner. Liz MacPherson, Deputy Privacy Commissioner for New Zealand, stated that this would mark the first joint privacy investigation between New Zealand and Australia, highlighting the significance of the breach. "The breach, New Zealand's largest, has seen millions of New Zealanders' and Australians' records exposed," she said.

On March 12th, Latitude Financial suffered a data breach that exposed the private information of more than one million New Zealanders, along with more than six million Australians. Data leaked was not only confined to financial information, but also included information pertaining to driver's licences and passports. Despite so many customers being affected, and so much data being leaked, Latitude left it until the 4th of May to contact those affected by the breach.

The primary purpose of the investigation is to ascertain whether or not Latitude took reasonable steps to protect the personal information of its customers. Latitude has previously received complaints for holding on to customers' data long after they ceased to be borrowers, including in cases where the customer had explicitly asked for their information to be be deleted.

Companies have an obligation to retain customer records for seven years, though Principle 9 of the Privacy Act 2020 requires companies to dispose of information as soon as that information is no longer required. Latitude revealed some of the data stolen was collected as far back as 2005, long after that information would have been required.

MacPherson stated that the investigation would need to examine whether Latitude had made any attempt to 'de-identify' the personal information of the former customers who had their information exposed. Additionally, consideration would be given to how the hackers gained entry to Latitude's systems, how long it was before Latitude noticed the intrusion, and how Latitude staff responded to the incident.

"This is a significant attack with an appalling result," MacPherson said. "I want to thank the affected customers who have been in contact with us so far. Thank you for your patience and for sharing your experiences with us. There is a human cost to a breach. We have former customers of Latitude who took a loan to buy a fridge about 15 years ago and now part of their identity is being held for ransom. We will be asking the same questions these customers are."

"Could Latitude have done anything to prevent the hackers getting in and stealing information? What reasons does Latitude have for holding on to the personal information of past customers for such long periods?" asked MacPherson. The Office of the Privacy Commissioner had received numerous complaints, and MacPherson redirected the angry customers back to Latitude. "We are still encouraging affected customers to contact Latitude Financial and ID Care for support first. They have made commitments to assist impacted customers. If you complain to Latitude and you haven’t heard back from them within 30 working days, then we encourage affected customers to make a complaint to us," said MacPherson.