1News can reveal the Privacy Commissioner's office has opened an investigation into Latitude Financial, and its role in New Zealand's largest data breach.
The breach from March has already exposed 1,037,000 New Zealand driver licence numbers, along with details from 34,000 passports.
Approximately 90,000 customers in New Zealand have had their personal banking numbers as well as income and expense information used to assess loan applications exposed.
A spokesperson for the Privacy Commissioner told 1News a joint investigation has been launched with the organisation's Australian counterparts.
It's the first joint investigation between the two countries and allows both agencies to share resources.
Deputy Privacy Commissioner Liz MacPherson said they will focus on how the hackers’ gained entry, what Latitude’s staff did when they discovered the attack, and why the data was being held for long periods of time.
“This is a significant attack with an appalling result," she said.
In a statement to 1News, a spokesperson for Latitude Financial said the company will continue to cooperate with both New Zealand and Australia's Privacy Commissioners.
The investigation will also cover the security and storage of that information within Latitude's IT systems.
"We have former customers of Latitude who took a loan to buy a fridge about 15 years ago and now part of their identity is being held for ransom," MacPherson said.
A compliance investigation enables the Office of the Privacy Commissioner to use its full information gathering powers including obliging people to provide information and summoning witnesses.
Affected customers are being urged to contact the Commissioner's office on latitude.breach@privacy.org.nz, where they'll be assigned an investigator once the compliance investigation is completed.
A spokesperson said that work will focus on whether Latitude Financial breached the Privacy Act 2020, which outlines the company's responsibilities for keeping personal information data secure.
"While there are consequences for breaching the privacy principles the NZ Privacy Act does not include a civil financial penalty regime," the spokesperson said,
"The primary consequences come through either an individual bringing a complaint to us and seeking compensation for the harm done to them (mediated by OPC or through the Human Rights Review Tribunal), or we can issue agencies with a compliance notice following a compliance investigation to make them do something or stop doing something, which can create costs for an agency, or there is the reputational damage to the agency which can be very significant such as loss of customer base."
SHARE ME