Both the Office of the Australian Information Commissioner (OAIC) and ASIC have published information for affected individuals following Latitude Financial’s announcement of its cyber security incident on 16 March 2023.

Subsequent ASX announcements by Latitude disclose that:

• As at 27 March 2023 Latitude says it has identified that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to it in the last 10 years.
• In addition, approximately 53,000 passport numbers were stolen.
• It has identified less than 100 customers who had a monthly financial statement stolen.
• Latitude will reimburse its customers who choose to replace their stolen ID document.
• A further approximately 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013. These records include some but not all of the following personal information: name, address, telephone, date of birth.

UPDATE: On 11 April 2023 Latitude announced it had received a ransom demand from the criminals behind the cyber-attack on it but that Latitude refused to pay a ransom.

UPDATE: On 10 May 2023 the Office of the Australian Information Commissioner (OAIC) announced that it will conduct a joint investigation with the New Zealand Office of the Privacy Commissioner (OPC) into the personal information handling practices of the Latitude group of companies (Latitude).

This is the first joint privacy investigation by Australia and New Zealand and reflects the impact of the data breach on individuals in both countries.

It does not preclude the OAIC and OPC reaching separate regulatory outcomes or making separate decisions regarding the most appropriate regulatory response to a breach.

The OAIC investigation will focus on whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

The investigation will also consider whether Latitude took reasonable steps to destroy or de-identify personal information that was no longer required.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.