Over one million past and present New Zealand drivers’ licences have been exposed as part of the attack on Latitude Finance, as well as people’s passports. Some of the 14 million New Zealand and Australia records taken are up to 18 years old, which isn’t okay.
Liz MacPherson, New Zealand’s Deputy Privacy Commissioner says that data retention is emerging as a key issue in several recent domestic and global cyber-attacks including the Latitude Finance breach.
“Data retention is the sleeping giant of data security. There are consequences for holding onto data you no longer need. All businesses and organisations can learn from this: don’t collect or hold onto information you don’t need. The risk is simply too high for your customers and your organisation. Don’t risk being a hostage to people who make it their day job to illegally extract data.”
There is no place for a “she’ll be right” attitude to privacy and cyber security. Cyber attackers are active. People are employed to be cyber attackers.
“People make their fortunes from hacking the security of agencies. Having sea borders does not protect your very internet-connected agency from being hacked.
“A key finding from the NZ Institute of Directors’ Director Sentiment Survey report, released late last year, was that a significant proportion of boards were not sufficiently prepared for a digital future and had an “it won’t happen to us” approach. The message from the Office of the Privacy Commissioner is “wake up to yourselves”. We talk to organisations almost every week who are counting the cost of a cyber data breach. Can you risk the impact to your customers and you reputation?”
Agencies should not be collecting or retaining personal information unless it is necessary for a lawful purpose connected with their function or activity. All agencies should have a personal information retention schedule that they review regularly. The simple discipline of deciding how long information will be retained as you collect it and acting on these decisions will save you and your customers a lot of pain.
The Office of the Privacy Commissioner also encourages individuals to challenge hard why an agency needs to collect and retain their personal information.
“If ID is being used as means of verification, ask why it needs to be collected or copied rather than simply sighted and recorded. If your information is being collected, ask how long it will be kept for and why. The more people challenge, the more likely it is that organisations will change their behaviour.”
Privacy needs to become a core business issue, as important as health and safety.
About the Latitude Finance privacy breach
The Latitude Financial cyber-attack involves New Zealanders and Australians so both privacy regulators for each nation are working together.
“We will share each other’s preliminary inquiries as we seek to understand what happened and establish our next steps. This includes the potential for coordinated investigations and joint regulatory action”, says Deputy Privacy Commissioner Liz MacPherson.
The Office was first notified of the breach on March 16. Since then, the size and scale of the data theft has grown dramatically as Latitude has undertaken forensic analysis of their systems.
The combined total of Australian and New Zealand records is now 14 million, including 6.1 million records that are over 10 years old. Some records are at least 18 years old.
“We are continuing to engage with Latitude Financial and our Australian counterparts to understand the nature, causes and consequences of the breach. Unfortunately, the true scale of cyber-security breaches can take some time to be revealed,” says Liz.
The Office is currently focussed on the impact of the attack on individual members of the public. But the Privacy Commissioner also wants answers to some key questions. These include how the cyber-criminal got in, how they managed to penetrate so far and why so many records have been retained for so long.
Latitude Financial is progressively contacting all affected customers who have had their personal data stolen to tell them what has been stolen and how Latitude will assist them.
People who have been contacted directly by Latitude and told what has been stolen should work with Latitude Financial first to try to get a resolution. “It is Latitude Financial’s responsibility to put things right. It is important that affected customers give Latitude a chance to make good on their commitments to provide support. However, if after people have worked with Latitude their privacy harms have not been resolved to their satisfaction, we encourage them people to make a complaint to our Office.”
For both impacted Latitude customers and those who have not yet been told whether their data is impacted the message is to be hyper vigilant.
“Keep a close eye on your accounts for any unusual activity. Work with your banks and telco providers and consider checking your credit record”.
We encourage you to make use of the free expert ID protection advice being provided through IDCare.
Notes:
Please find the CISCO report attached
https://www.cisco.com/c/m/en_us/products/security/cybersecurity-reports/cybersecurity-readiness-index.html
Please find the Institute of Directors New Zealand report below
https://www.iod.org.nz/resources-and-insights/research-and-analysis/director-sentiment-survey-report-2022/#
Please find attached our press release from January on numbers of data breaches
https://www.privacy.org.nz/publications/statements-media-releases/notable-increase-in-data-breaches-reported/
