Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Complaints made to Privacy Commission as Latitude admits 1.037 million New Zealand driver's licence details stolen

Tuesday, 28 March 2023

Gem by Latitude revealed the private data of some 14 million customers has been stolen. Australia and New Zealand have a combined population of just over 31 million people.
Gem by Latitude revealed the private data of some 14 million customers has been stolen. Australia and New Zealand have a combined population of just over 31 million people.

Angry Latitude Financial customers have complained to the Privacy Commissioner as the scale of private identity information stolen from the lender continues to emerge.

Latitude’s latest announcement to the ASX sharemarket revealed the private details of 14 million Latitude customers were stolen from its computer systems in a cyberattack this month, including the driver’s licence numbers of 7.9 million Australian and New Zealand customers.

That includes 1.037 million New Zealand drivers’ licences, of which approximately 16,000 are the images of licences, and the rest are licence numbers, Latitude said.

Latitude revealed some of the data stolen was collected as far back as 2005, and that seems to include many former Latitude customers as the company only claims on its website to have 2.8 million​ customer accounts.

**READ MORE:

* Kiwibank counting customers whose ID data was stolen in massive Latitude privacy breach

* Latitude confirms details of 14 million consumers stolen

Cyberattackers are getting smarter and the attacks more sophisticated. A North Island kindergarten association is among hundreds of groups hit at the weekend by a cybercriminal gang believed to be based in Russia.

* Latitude Financial to cover the cost of replacing 330,000 people's stolen identification following cyber attack

**

Ainsley Haslett​ has complained to the Privacy Commission after discovering Latitude failed to delete his personal information after he ceased to be a customer.

He only joined up as a customer to buy a Groove Armada concert ticket late last year through Latitude-owned Genoapay, so he would get access to a special question and answer session.

After the concert he shut his Genoapay account, and in November asked Latitude to delete all the information it held on him.

Latitude makes loans in New Zealand in its own name through the Gem by Latitude brand as well as through Genoapay. It also provided personal loans for Kiwibank customers.

The bank does not yet know exactly how many of its customers have had their data stolen as a result of the Latitude cyberattack, but knows it is over 2000.

Despite Haslett asking Latitude to delete his data, it sent him a marketing email in February, so he asked again for it to delete the information it held on him, and it replied that the data would be deleted.

But last week Haslett got had an email from Latitude saying he was among the 14 million people whose data had been stolen.

“I am very concerned as I had specifically asked to have my data deleted however it seems highly likely it wasn't actually deleted,” Haslett said.

”It indicates management may not have been aware of what data was being held,” he said.

A warning email from Latitude to Patrick Lee telling him his private data had been taken in a cyberattack.
A warning email from Latitude to Patrick Lee telling him his private data had been taken in a cyberattack.

A Privacy Commission spokesperson confirmed complaints were coming in from Latitude customers, but she said: “Given the trans-Tasman nature of the breach we will be working with the Office of the Australian Information Commissioner.”

She did not say whether the commission was investigating Latitude’s compliance with privacy laws.

But she did say: “An organisation should not keep personal information for longer that it is required for the purpose for which it may lawfully be used.”

Privacy Commissioner Michael Webster will be working with the Office of the Australian Information Commissioner on the Latitude Financial security breach.
Privacy Commissioner Michael Webster will be working with the Office of the Australian Information Commissioner on the Latitude Financial security breach.

That included complying with anti-money laundering laws, which require financial companies to keep customer identification records for five years.

“We expect agencies collecting personal information to keep a retention schedule which they regularly review to ensure that they are not retaining information for longer than is strictly necessary,” the Privacy Commission spokeswoman said.

In 2021 the Privacy Commission issued guidance to real estate agents, telling them not to store copies of identification documents from people applying for tenancies.

They only needed the documents to identify them, and did not need to store copies of them, the commission said.

The guidance said: “If tenants apply online or by email, and submit images of their identity documents, these images should be deleted as soon as they’re no longer needed to verify the person’s identity.”

The Privacy Actbstates that an organisation “should not keep personal information for longer than it is required for the purpose it may lawfully be used”.

Latitude notified the commission about the theft of data on March 16, the spokesperson said.

“We are working with them as they seek to understand the size and scope of the breach,” she said.

“Our focus in these early stages is to provide agencies who have experienced a breach with advice on how to minimise the harm caused by the breach on the individuals impacted.

“Under the Privacy Act, agencies that collect and hold personal information have a duty to protect it and respect it to avoid causing harm to people. This includes ensuring personal information is carefully managed, including that it is only shared with the intended recipient.”

Latitude has pledged to pay the costs of replacing compromised identification documents.