Latitude Financial breach - another reminder of cyber security risks from data held by third party service providers

It has been reported today that hundreds of thousands of customer records have been stolen from service providers to consumer lender Latitude, which provides credit to shoppers at stores such as JB Hi-Fi and Harvey Norman.

Latitude has informed customers that:

• the threat actor appears to have stolen personal information that was held by two Latitude service providers, impacting customers across both Australia and New Zealand.

• they understand that approximately 103,000 identification documents, more than 97% of which are copies of drivers’ licenses, were stolen from one service provider;

• approximately 225,000 customer records were stolen from a second service provider.
  
  

This is yet a further reminder of the need for organisations that engage service providers that will hold sensitive identification data to ensure that this data is collected and stored in a manner which is compliant with its obligations under the Privacy Act and is not vulnerable to access by external or internal threat actors. It will be interesting to see how this plays out given:

• recent high profile cyber breaches which have clearly put organisation on notice of these sorts of risks;

• the current OAIC investigations and the class actions already being pursued against Optus and Medibank for failing to properly secure identification data and keeping data when no longer reasonably necessary; and

• recently increased penalties for breach of the Privacy Act.
  
  

This latest incident provides further impetus for the implementation of proposed amendments to the Privacy Act which we have previously outlined in our article.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

DMAW Lawyers has partnered with Comunet & Digital Trace Australia to form a comprehensive, industry leading cyber security service group, the Cyber Alliance Group.

Head to the Cyber Alliance Group website to find out more about our full service, cyber security offering and how we can assist your business.