Gem by Latitude is one of the brands financed in New Zealand by Latitude Financial.
The personal information of one in five New Zealanders is in the hands of cybercriminals who stole it from lender Latitude Financial.
This makes the theft the biggest privacy blunder in New Zealand history, the Privacy Commissioner’s office has confirmed.
“Given the nature of the deployment of this cyberattack which led to the largest recorded data breach in New Zealand in terms of the number of individuals affected, we are still at the stage of preliminary investigation with Latitude Financial. Yes,” said the spokesperson.
“Currently, Latitude Financial estimates that 13% of the 7.9 million customers whose accounts were compromised in the attack are New Zealanders,” she said.
* Latitude refuses to pay hackers’ ransom demands
* Protect yourself from identity thieves after Latitude mega data hack
* NEWS AVAILABLE: ‘Degree of Inevitability’ Regarding Massive Data Hacking, Says Cybersecurity Expert
“This represents about 20% of NZ’s population, which means everyone likely knows someone affected by this breach,” she said. .
The proportion of adults whose data was compromised in Latitude’s breach was even higher, and nearly 1 million New Zealanders under the age of 15 never became Latitude customers.
Latitude lends in New Zealand under the Gem by Latitude brand, but also provides personal loans to Kiwibank customers.
The case also involved passports, but the number is still unknown.
Many people who have personal information stolen from their Latitude, such as driver’s license numbers, are apparently still unknown.
In an update to the Australian stock market, Latitude only said it was in a “process” to contact those whose data it had failed to secure.
It said it will prioritize all customer inquiries.
Latitude was legally obligated to notify the Privacy Commission of any privacy breach within 72 hours, but that time limit did not include Latitude notifying affected customers.
“Agencies are encouraged to act quickly, keeping in mind the well-being of their customers, staff and the agency itself,” the spokesperson said.
“This involves balancing the risks of notifying customers against the risks of sharing knowledge of a breach broadly. I expect you to.”
Questions have been raised as to why Latitude, which claims to have only 2.8 million active customers, kept so much data on so many previous customers.
However, the Privacy Commissioner’s office was not prepared to issue a statement on what its investigation has uncovered so far.
“We are in regular communication with Latitude Financial and Australian regulators. We are unable to comment on the preliminary investigations we are conducting, but will do so when we are able to issue a statement,” the spokesperson said. the official said.
She also said the office is not ready to speak publicly about what it knows about how Latitude’s cyber defenses were breached.
Latitude said it had received a ransom demand for the return of stolen data, but said it would not pay.
A spokesperson for the Privacy Commissioner said it supports the decision.
“Even if a company pays the ransom, there is absolutely no guarantee that the information will not be shared or sold online,” she said.
It has been the responsibility of current and former Latitude customers to ensure that they do not fall prey to scammers who have stolen their data.
“When it comes to advice on what people can do, we encourage you to keep an eye out for suspicious activity on your account and on the platforms you use,” the spokesperson said.
“People should consider working with their banks and telecom carriers and checking their credit records,” she said.
Latitude investors don’t seem panicked that the company failed to keep customer data safe.
On its last trading day before Latitude reported a major cyber breach to the ASX market, the company’s shares were trading at AUD 1.21 (NZ$ 1.30). Shares on Wednesday had him trading at A$1.26.
In its latest statement to investors, Latitude said it has insurance policies to cover cyber risks.