The New Zealand Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner (OAIC) have joined forces to commence a joint privacy investigation into the massive data breach on 12 March at Latitude Financial.
In a statement from the OPC, this collaborative effort was marked as the first of its kind between the two countries and underscores the significant impact of the breach on individuals in both nations.
The decision to initiate this joint investigation follows preliminary inquiries conducted separately by the OPC and OAIC. The breach, which is the largest in New Zealand's history, exposed the records of millions of New Zealanders and Australians. Among the compromised information are driver's licenses, passports, and sensitive financial data, including personal income and expense details.
By combining their resources, the OPC and OAIC aim to conduct a comprehensive investigation. The structure of the investigation does not preclude the two offices from reaching separate regulatory outcomes or decisions regarding the most appropriate response to the breach.
The joint investigation will primarily examine whether Latitude Financial took reasonable measures to safeguard the personal information it held, ensuring protection against misuse, interference, loss, unauthorized access, modification, or disclosure.
Additionally, the investigation will assess whether Latitude adequately disposed of or de-identified personal information that was no longer necessary.
New Zealand Deputy Privacy Commissioner Liz MacPherson highlighted the key areas of scrutiny during the investigation.
These include determining the method employed by the hackers to breach Latitude's systems, the duration of the breach before detection, the response of Latitude's staff upon discovering the attack, the retention of customer information by Latitude, and the security and storage practices employed within its IT systems.
MacPherson acknowledged the severe consequences of the breach, emphasizing the human cost it imposed. Former customers who took loans from Latitude years ago now find themselves victims of identity theft, facing ransom demands.
The investigation will explore whether Latitude could have prevented the breach and the reasons for retaining the personal information of past customers over extended periods.
In a compliance investigation, the OPC possesses the authority to utilize its full range of information-gathering powers, including obliging individuals to provide information and summoning witnesses.
By leveraging these powers, the investigation aims to determine whether Latitude's actions or inaction facilitated the cyber criminals and contributed to the extent and consequences of the breach.
These findings will be crucial in making decisions regarding individual complaints made by affected Latitude customers.
While urging affected customers to initially contact Latitude Financial and ID Care for support, the OPC encouraged those who do not receive a response within 30 working days to file a complaint with the OPC.
The commission will not begin assessing individual complaints until the completion of the compliance investigation.
However, gathering information about the number of affected individuals and the issues they face is crucial for assigning investigators, planning support measures, and understanding the extent of harm caused by the breach, the office said.
The OPC advised New Zealanders to exercise heightened vigilance and remain alert for unusual activities.
This includes watching for suspicious texts, emails, or anomalous occurrences in their accounts or records.
Furthermore, the public was urged not to access, spread, or share any Latitude Financial data encountered.
Instead, people who encounter such data should promptly report it to the New Zealand Police, the OPC, or CERT to prevent further dissemination and distress to affected individuals.