The privacy watchdogs of Australia and New Zealand are teaming-up to investigate the impact of the Latitude Financial Services mega-hack.
The New Zealand Office of the Privacy Commissioner (OPC) and the Office of the Australian Information Commissioner (OAIC) have launched their first joint privacy investigation into the 12 March data breach.
The joint effort reflected the impact of the data breach on individuals in both nations, a joint statement released this monring said
The breach has seen millions of A/NZ records exposed, including drivers’ licenses, passports and sensitive financial data including personal income and expense information.
The joint investigation will allow the use of both agencies’ resources, however, the structure of the investigation does not preclude the OAIC and OPC reaching separate regulatory outcomes or decisions.
The investigation will focus on whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.
The investigation will also consider whether Latitude took appropriate steps to destroy or de-identify personal information that was no longer required.
New Zealand's deputy privacy commissioner, Liz MacPherson, said the investigation would focus on how the hackers’ gained entry to Latitude Financials’ systems, how long they were inside before they were noticed and what Latitude’s staff did when they discovered the attack.
The retention of information held by Latitude, and the security and storage of that information within its IT systems wuld also be probed.
“This is a significant attack with an appalling result," MacPherson said. "I want to thank the affected customers who have been in contact with us so far. Thank you for your patience and for sharing your experiences with us."
MacPherson also thanked Latitude's board and staff for their constructive engagmeent so far.
Affected customers were encuraged to contact Latitude Financial and national identity and cyber support service ID Care for support in the first instance.
Individual complaints won't be assessed until the compliance investigation is completed, but the watchdogs did want to get a sense of the number of people affected and the issues they were facing.
Individuals should be on the lookout for anything out of the ordinary.
“Be hyper vigilant," MacPherssaid. "Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source.”
Last month, Latitude rejected demands from the cyber attackers to pay a ransom in order to delete the stolen data.