Latitude data breach – lessons in how to follow your cybersecurity compass
4 mins reading time
It seems that every other week reports sweep the nation of hackers exposing gaps in companies’ security networks to gain access to customers’ valuable and sensitive personal information. The major difference with the Latitude data breach to others is the newly enforced legislative changes that could see the Office of the Australian Information Commissioner (OAIC) penalise Latitude with a fine of up to $50 million, dwarfing the previous maximum penalty of $2.2 million.
How severe is the Latitude data breach?
In our recent insight article, we outlined a timeline of key dates in the Medibank data breach. Medibank first publicly suspected a data breach on 13 October 2022 and denied that the cyber criminals had removed customer data from the Medibank network until 1 week after when a sample of the compromised data was presented to them. In less than 3 short weeks the cyber criminals began releasing the compromised data on the dark web and continued to do so periodically until they claimed all files were available online.
Latitude disclosed the data hack for the first time on 16 March 2023 and reported that only 330,000 customers had been affected. It had taken just 2 weeks for those figures to climb to somewhere in the range of 8-14 million compromised customers, with Latitude itself admitting things were far worse than initially thought. These estimated figures could make this data breach the biggest in Australian history.
As a consumer lending agency, Latitude holds extremely valuable and sensitive data. Similar to the Medibank and Optus data breaches, customer names, addresses, phone numbers, dates of birth, and passport numbers have been compromised. A part of customer files extracted from the Latitude database is customer financial statements.
Considering this is a rapidly evolving incident it is difficult to predict how severe it may become. Looking to previous data breaches, cyber criminals often move swiftly and it can spiral out of control for the company quickly. The kinds of information that the hackers have extracted, combined with the volume of data they now possess, are hallmarks for a cyber-attack with particularly severe consequences.
A failure to adequately protect their customers’ data
The key allegation now facing Latitude is that it has failed to adequately safeguard customer data. What has garnered considerable attention is the duration with which Latitude has held onto the data of their former customers, even where those customers had closed down their account. Latitude has attempted to address the concerns raised over its data retention practices by relying on legal and regulatory requirements, namely the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act). As a money lending agency, Latitude is subjected to the provisions in the Act requiring it to retain personal information (of which the customer’s name, address, driver’s licence, and passport are included) and financial records for 7 years.
Despite the OAIC’s recommendations to entities to ‘take reasonable steps to destroy or de-identify personal information where it is no longer necessary to be retained’, it is estimated that 5.7 million compromised customer records had been held by Latitude before 2013.
Is it really better to ask for forgiveness than permission?
As has been experienced by companies scrutinised over previous high profile data breaches, the reputational damage suffered can make it an extremely difficult task to earn back customers’ trust. Tied in with the reputational damage suffered is the financial losses associated with swathes of customers, investors and business relationships parting ways with the company subjected to the cyber-attack. Both Optus and Medibank have suffered significant financial losses, with the former being estimated at $1.2 billion worth of losses since the telecommunication company’s cyber-attack in 2022.
While the reputational and financial consequences of a high-profile cyberattack are disastrous in their own right, a company inadequately safeguarding their customers’ data is likely to face an uphill legal battle, often in the form of impending class actions. If a company was not already regretful of their data management practices by this stage, the court room must be a stark reminder that privacy should never be an afterthought.
Key take aways
- The recent legislative changes allowing the OAIC to impose penalties up from $2.2 million to $50 million for companies who commit serious or repeated interferences with privacy are in effect and may result in the OAIC making an example out of Latitude.
- Despite the Act requiring Latitude to retain customer data for 7 years, the conscious (or unconscious) decision to keep former customers’ data for longer is in direct contradiction to the OAIC’s recommendation to destroy information that is no longer necessary to retain.
- The recent cyber-attacks of other companies has proven to be particularly severe for their reputation and financial position, and has caused avoidable legal headaches.
Following on from the heightened penalties that were swiftly passed by Parliament, significant further changes to the Privacy Act 1988 (Cth) have also been proposed. Macpherson Kelley’s Privacy experts are across existing Australian law and remain up-to-date on any changes, or proposed changes, in the compliance space. To ensure your business is compliant and has in place appropriate policies to prevent and manage a data breach please reach out.
more
insights
stay up to date with our news & insights
Latitude data breach – lessons in how to follow your cybersecurity compass
It seems that every other week reports sweep the nation of hackers exposing gaps in companies’ security networks to gain access to customers’ valuable and sensitive personal information. The major difference with the Latitude data breach to others is the newly enforced legislative changes that could see the Office of the Australian Information Commissioner (OAIC) penalise Latitude with a fine of up to $50 million, dwarfing the previous maximum penalty of $2.2 million.
How severe is the Latitude data breach?
In our recent insight article, we outlined a timeline of key dates in the Medibank data breach. Medibank first publicly suspected a data breach on 13 October 2022 and denied that the cyber criminals had removed customer data from the Medibank network until 1 week after when a sample of the compromised data was presented to them. In less than 3 short weeks the cyber criminals began releasing the compromised data on the dark web and continued to do so periodically until they claimed all files were available online.
Latitude disclosed the data hack for the first time on 16 March 2023 and reported that only 330,000 customers had been affected. It had taken just 2 weeks for those figures to climb to somewhere in the range of 8-14 million compromised customers, with Latitude itself admitting things were far worse than initially thought. These estimated figures could make this data breach the biggest in Australian history.
As a consumer lending agency, Latitude holds extremely valuable and sensitive data. Similar to the Medibank and Optus data breaches, customer names, addresses, phone numbers, dates of birth, and passport numbers have been compromised. A part of customer files extracted from the Latitude database is customer financial statements.
Considering this is a rapidly evolving incident it is difficult to predict how severe it may become. Looking to previous data breaches, cyber criminals often move swiftly and it can spiral out of control for the company quickly. The kinds of information that the hackers have extracted, combined with the volume of data they now possess, are hallmarks for a cyber-attack with particularly severe consequences.
A failure to adequately protect their customers’ data
The key allegation now facing Latitude is that it has failed to adequately safeguard customer data. What has garnered considerable attention is the duration with which Latitude has held onto the data of their former customers, even where those customers had closed down their account. Latitude has attempted to address the concerns raised over its data retention practices by relying on legal and regulatory requirements, namely the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the Act). As a money lending agency, Latitude is subjected to the provisions in the Act requiring it to retain personal information (of which the customer’s name, address, driver’s licence, and passport are included) and financial records for 7 years.
Despite the OAIC’s recommendations to entities to ‘take reasonable steps to destroy or de-identify personal information where it is no longer necessary to be retained’, it is estimated that 5.7 million compromised customer records had been held by Latitude before 2013.
Is it really better to ask for forgiveness than permission?
As has been experienced by companies scrutinised over previous high profile data breaches, the reputational damage suffered can make it an extremely difficult task to earn back customers’ trust. Tied in with the reputational damage suffered is the financial losses associated with swathes of customers, investors and business relationships parting ways with the company subjected to the cyber-attack. Both Optus and Medibank have suffered significant financial losses, with the former being estimated at $1.2 billion worth of losses since the telecommunication company’s cyber-attack in 2022.
While the reputational and financial consequences of a high-profile cyberattack are disastrous in their own right, a company inadequately safeguarding their customers’ data is likely to face an uphill legal battle, often in the form of impending class actions. If a company was not already regretful of their data management practices by this stage, the court room must be a stark reminder that privacy should never be an afterthought.
Key take aways
- The recent legislative changes allowing the OAIC to impose penalties up from $2.2 million to $50 million for companies who commit serious or repeated interferences with privacy are in effect and may result in the OAIC making an example out of Latitude.
- Despite the Act requiring Latitude to retain customer data for 7 years, the conscious (or unconscious) decision to keep former customers’ data for longer is in direct contradiction to the OAIC’s recommendation to destroy information that is no longer necessary to retain.
- The recent cyber-attacks of other companies has proven to be particularly severe for their reputation and financial position, and has caused avoidable legal headaches.
Following on from the heightened penalties that were swiftly passed by Parliament, significant further changes to the Privacy Act 1988 (Cth) have also been proposed. Macpherson Kelley’s Privacy experts are across existing Australian law and remain up-to-date on any changes, or proposed changes, in the compliance space. To ensure your business is compliant and has in place appropriate policies to prevent and manage a data breach please reach out.