Three years after NZ’s largest-ever privacy breach, the investigation isn’t complete

Tuesday, 6 January 2026

ANALYSIS: The Office of the Privacy Commissioner (OPC) says it is in the “final stages” of its investigation into the largest data breach in New Zealand history, nearly three years after it happened.

Minister of Health Simeon Brown had to cut short his summer break to respond to the Manage My Health portal breach on December 30 after hackers stole the health records and personal data of about 126,000 patients.

But the Manage My Health privacy breach involved just a fraction of the Kiwis whose data was compromised in March 2023, through a breach of lender Latitude Financial’s system, a hack that caused little political blow-back.

And the OPC is still some months away from deciding on what action, if any, to take against Latitude, which provides personal loans for shoppers, and is most famous for its long-term partnership with furniture and appliance retailer Harvey Norman, though it also provided personal loans to Kiwibank customers.

What happened?

The OPC called the Latitude breach “New Zealand’s largest data breach”.

It saw millions of New Zealanders’ and Australians’ records exposed, including drivers’ licenses, passports and sensitive financial data including personal income and expense information, including data relating to “over 1 million New Zealanders”.

Thousands of people felt they had no choice but to replace key documents exposed like drivers’ licences.

The breach happened when a “threat actor” used a trusted third party provider’s credentials to gain access to Latitude’s systems.

Unlike the Manage My Health data breach, which involved private health information gathered under the national health system, the Latitude breach was not viewed as a political issue by the government of the day.

The OPC launched a joint investigation with the Office of the Australian Information Commissioner.

The focus was to be on “whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure”.

Auckland-based Manage My Health has been the target of a ransonware attack with $104,000 demanded. The hacker posted, top right, a 48-hour deadline on Sunday but, as that expired on Tuesday morning, told The Post they were in negotiations (bottom right).

But there were also questions about whether Latitude had breached privacy rules by holding on to some people’s data long after they ceased to be customers.

Why so long?

The OPC told The Post the length of time it was taking to complete the Latitude investigation was down to the wide-ranging nature of the investigation, which it had been conducting in tandem with the Office of the Australian Information Commissioner.

But it hoped to finalise the investigation in the “next few months”.

However, the OPC recently warned the Government that it was under financial and workload pressures.

In November, Privacy Commissioner Michael Webster said there had been a 43% rise in the number of serious privacy breaches reported by organisations under the Privacy Act, and he said the public’s “increased concerns about privacy are fast becoming reality”.

In its latest quarterly report to the Government, the OPC alerted it to a rising tide of serious privacy complaints, and the increasing number of complaints that it was not able to resolve after 12 months.

It was projecting an $800,000 budget shortfall for the 2025/26 financial year.

Has Australia moved faster on Latitude?

It appears Australia’s Information Commissioner has already drawn a number of conclusions over Latitude’s compliance with Australian privacy rules.

In a “determination” published in July, it said the circumstances of the attack were unfortunate for the financial firm.

It concluded Latitude did not meet its obligations under Australian privacy rules because “its preparedness and response to the cyber-attack fell below a standard of reasonableness, considering good industry practice and industry guidance at the date of the cyber-attack”.

That case involved a borrower who was no longer a Latitude client after it sold his debt to a debt collector in 2013.

The “threat actor” got its hands on the man’s first and last name, date of birth, residential address, email address, mobile numbers for two mobile phones, and driver licence number.

That caused him stress and he feared he would become a victim of identity theft.

Latitude, which said in its latest annual report that it had been cooperating with regulators, denied it had failed to meet its privacy obligations, but the Australian regulator did not agree, including determining that it held onto some of the man’s data for far longer than was reasonable.

Latitude offered to pay the cost to the man of replacing his licence, which was an offer it made to every person whose data was stolen.

Australian company Optus’ privacy fail caused a political storm. (AP Photo/Mark Baker, File)

The regulator ordered Latitude to pay the man A$100 for stress and inconvenience.

Political inaction

After the Latitude breach in 2023, there were calls for New Zealand to take privacy more seriously, and follow Australia in putting in place meaningful penalties for failures by the likes of companies to meet their obligations.

“Our Privacy Act has zero teeth,” was the conclusion of Julia Nicol from electronic payments company Worldline at the time, a sentiment echoed by others.

There were penalties in Australia before telecoms company Optus managed to allow data on 40% of Australians to be stolen in 2022, a year in which Medibank allowed data from 9.7 million Australians be stolen.

But outrage among Australian politicians led them to lift the maximum penalty for data breaches to the greater of A$50 million, or three times the adjusted turnover of the corporate body during the breach period.

In November, NZ Privacy Commissioner Webster renewed calls for penalties to be added to the Privacy Act, calling for a “significantly stronger penalty regime”.

As privacy breaches are a threat to government agencies, such fines could also affect them, in instances where they failed to protect data adequately.

What can the OPC do in absence of penalties?

If, during or after an investigation, the Privacy Commissioner is of the opinion that there is evidence of any significant breach of duty or misconduct on the part of an agency, or an officer, an employee, or a member of an agency, he can refer the matter to the Director of Human Rights Proceedings.

The director may bring proceedings on behalf of a class of aggrieved individuals, and may seek an order of damages from the Human Rights Tribunal, which hears privacy complaints the OPC cannot resolve.

But law firm Dentons said in 2024: “Damages awards in the Tribunal are, on average, relatively low. The Tribunal may award up to $350,000, but most awards tend to be in the tens of thousands with the highest to date for a privacy breach being approximately $168,000.”

And, it said: “Although the Privacy Commissioner can refer a privacy complaint to the Tribunal for prosecution, even then the level of fines is miniscule compared to other jurisdictions.”

Corporate shame, and business interruption, have also proved to be a motivating factor for businesses.

Following the March 2023 breach, Latitude invested heavily in beefing up its cyber defences and systems, and incurred significant costs to tidy up the mess the breach had caused.

In its latest annual report Latitude, which is an Australian company with shares traded on the ASX sharemarket, said it has been cooperating with regulators, and that there was the possibility of “enforcement action costs”, and even class action law suits.