18 Jun 2023

Three months after Latitude cyberattack, some victims still not notified

6:42 pm on 18 June 2023

By Rob Stock of Stuff

cybercrime, hacking and technology concept - hands of hacker in dark room writing code or using computer virus program for cyber attack

Photo: 123RF

It has been three months since private information on a million New Zealanders was stolen from personal loan company Latitude by cyber criminals, but some are yet to find out they are victims.

Angry former Latitude borrowers contacted Stuff to say they have had letters delivered to their homes this week notifying them they are victims, and Latitude said it had not yet completed notifying victims.

On 16 March, Latitude told investors on the ASX sharemarket, and privacy watchdogs, that it had been subject to a cyberattack in which a Latitude employee login was used to steal customer data.

Latitude has a large personal loan business both in Australia and New Zealand, and the breach included data on about 1 million New Zealanders, making it the largest data breach in New Zealand's history.

In New Zealand, Latitude lends under the Gem by Latitude brand, as well as making personal loans to Kiwibank customers.

The cyberattack sparked a trans-Tasman privacy probe, with the New Zealand Office of the Privacy Commissioner and the Australian Office of the Australian Information Commissioner working together to investigate, though New Zealand privacy laws lack the penalties of Australian privacy laws.

In the first week of May, six weeks after the privacy breach, Latitude said it was sending out the last wave of emails informing New Zealanders their data had been stolen.

But it admitted it still had to send letters to people whom it did not have a working email for.

Now, more than a month later, letters are still arriving, and it appears some letters may have yet to be sent.

The letters offer "guidance" on what the recipients can do to lower the risk of their information being misused by criminals who could do things like take out loans in their names.

"My wife only got notification today that her personal info was stolen. By post. It's too blinking long. Hope it's not too late," one reader said.

Another said: "Last night I received a letter (they have my email address, but didn't email) stating that I am one of their effected customers. I am most angry about the delay in telling me of three months."

A spokesperson for the lender said: "All affected people, where Latitude had a current email address, were contacted by the start of May.

"We will complete the task of reaching the remaining affected individuals by letter over the next 10 days."

He sought to reassure the people whose data was stolen from Latitude.

"There is no evidence to date of stolen information being released on the dark web," he said.

The scale of the data lost by Latitude brought prompt calls for a probe by the privacy watchdog, especially after it became clear Latitude had been holding on to information on people after they ceased to be customers, and people who had only applied for loans, but then decided against borrowing.

Latitude claimed to only have 2.8 million active customers, but lost the details of more than 14 million.

The Office of the Privacy Commissioner said the breach equated to about 20 percent of the New Zealand population having had private information stolen.

"This means that everyone is likely to know someone impacted by this breach," a commission spokesman said.

-This story was first published by Stuff.

Get the RNZ app

for ad-free news and current affairs