Sharesies warned Govt of 'high risk' two years before Latitude's mega cyberattack

Wednesday, 29 March 2023

Online share trading platform Sharesies warned the Government in 2021 about the “high risk” of requiring businesses to keep digital copies of identity documents like passports and driver’s licences.

Lender Latitude has had private information from 14 million current and former New Zealand and Australian customers stolen in a massive cyberattack carried out using one of Latitude’s own employee login credentials.

Latitude lends under Gem by Latitude brand in New Zealand, but also made personal loans to Kiwibank customers.

The private information of Latitude current and former customers includes nearly 1.04 million New Zealand drivers’ licences, of which about 16,000 are the images of licences, and the rest are licence numbers.

* Kiwibank counting customers whose ID data was stolen in massive Latitude privacy breach

Several thousand Kiwibank customers had their data stolen in the Latitude cyberattack.

* Latitude Financial to cover the cost of replacing 330,000 people's stolen identification following cyber attack

But the practice of businesses keeping digital copies of people’s identity documents was something the Ministry of Justice Te Tāhū o te Ture was warned about in a review of the country’s anti-money laundering laws in 2021.

Sharesies was one of four organisations to flag the danger of copies of people’s identity documents being kept by multiple organisations, making an attractive target for cyber criminals.

Asked whether she had been briefed by the Privacy Commission on Latitude’s massive data theft, Kiri Allan, the minister responsible for the Privacy Commission, revealed the warnings that the Ministry of Justice had received.

She said after its review, the ministry recommended businesses be provided with “more clarity” on whether they needed to keep records of documents used to verify a person’s identity, given the potential for identity theft and cyber-attacks.

She said the Government had agreed to progress the recommendation, and work on it was “ongoing”.

“I acknowledge that there are privacy-related challenges in relation to the increasing amount of information collected, stored and disclosed online,” Allan said.

Sharesies’ warning to the ministry in December 2021 said: “We believe requiring all entities that operate digitally to store digital copies of this information is high risk – particularly as more and more entities over time start using digital methods of identity verification”.

Cyberattackers are getting smarter and the attacks more sophisticated. A North Island kindergarten association is among hundreds of groups hit at the weekend by a cybercriminal gang believed to be based in Russia.

“This could risk New Zealand becoming a greater target for data theft and identity fraud,” it said.

It was not only digital copies of identity documents Sharesies was worried about.

It said once people had been identified, businesses should not need to keep photos of them either.

“Consumers are increasingly unhappy with these kinds of photos being taken or stored for long periods of time and there is a real technical compliance burden in storing these safely,” Sharesies told the ministry.

The Anti-Money Laundering and Countering Financing of Terrorism Act requires “reporting entities” like lenders to verify the identity of their customers and keep records for at least five years.

Latitude sent an email to Patrick Lee telling him his private data had been taken in a cyberattack.

But many organisations interpret the law as requiring them to keep digital copies of identity documents like passports and driver's licences.

Investment company Mainland Capital told the ministry in 2021: “An unintended consequence of the regime is that many different organisations hold personal information on the same individual customers. This would magnify the impact of a cybersecurity breach or privacy breach in the event that that occurred.”

Anti-money laundering consultancy Compliance Plus said: “Forcing reporting entities to keep a copy of the document that was used to verify a person’s full name and date of birth could expose the public to identity theft if the reporting entity was subject to a data breach either electronic, or physical.”

Mainland Capital felt the Government should be running a centralised agency which could verify identification, so businesses did not end up storing extensive identification data.

It already did, in the form of RealMe, but that system wasin need of modernising.

The Government was also working to pass the Digital Identity Services Trust Framework Bill, which would enable companies to compete with RealMe, providing a means by which their customers could prove their identity digitally, and not by handing over identity documents to multiple companies.

Latitude has been sending emails to people whose data was stolen, giving them tips on how to avoid falling prey to identity thieves.

But customers, and former customers have been making complaints to the Privacy Commission asking it to investigate whether Latitude broke privacy laws by holding private information for longer than it had a legitimate reason for.

The commission said it would work with the Office of the Australian Information Commissioner on the Latitude breach.

Australian law firm Gordon Legal and Hayden Stephens and Associates has asked Latitude customers to register with it for a potential class action lawsuit against the lender.