Australia’s privacy watchdog launches joint investigation into Latitude hack

The nation’s privacy watchdog has announced today it will enter a joint investigation with the New Zealand Office of the Privacy Commissioner (OPC) to scrutinise a Latitude (ASX: LFS) cyberattack that resulted in 14 million personal documents being stolen earlier this year.

The Office of the Australian Information Commissioner (OAIC) will work with the New Zealand agency to determine whether the finance firm took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

Personal data stolen in the breach included almost 8 million Australian and New Zealand drivers licence numbers, 53,000 passport numbers, less than 100 customer financial statements and 6.1 million records containing personal information including names, addresses, telephone numbers and dates of birth.

Following the hack, Latitude refused to pay a ransom demand issued by the criminals behind the attack.  

Five weeks ago, Gordon Legal and Hayden Stephens and Associates (HSA) announced they were investigating potential legal action against the fintech and would also be investigating the circumstances surrounding the breach.

A cybercrime task force initially established by the Australian Federal Police (AFP) to protect those impacted by both the Optus and Medibank (ASX: MPL) data breaches has also expanded its remit to cover the fallout from the Latitude hack.

Today’s announcement marks the first time the OAIC has teamed up with the New Zealand agency to conduct an investigation. While both agencies have joined forces to improve the efficiency of the investigation, they are free to make different findings.

“If the investigation leads to a finding that Latitude has breached one or more of the Australian Privacy Principles, then the Australian Information Commissioner and Privacy Commissioner may make a determination that can include requiring Latitude to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage,” the OAIC said in a statement.

“If the investigation finds serious and/or repeated interferences with privacy in contravention of Australian privacy law, then the Commissioner has the power to seek civil penalties through the Federal Court of up to $50 million for each contravention.”

The hack is part of a growing trend of cyberattacks hitting Australian companies, including enterprise software company TechnologyOne (ASX: TNE),national legal giant HWL Ebsworth, pathology practice Medlab Pathology and intellectual property law giant IPH Limited (ASX: IPH).

Shares in Latitude are down 1.1 per cent to $1.28 each at 1:4pm AEST.