You might have thought the biggest privacy breach in New Zealand’s history would rate a little more publicity. After all, 25% of adult Kiwis have apparently lost data to hackers. Personal data. Names, addresses, birth dates, scans of documents such as driver’s licenses and passports – in fact, all you’d need to steal someone’s identity and take out loans on their behalf.
Sometime in early March, Latitude Financial Services, Australia’s biggest non-bank lender – a company specialising in unsecured personal loans, credit cards, car loans, and interest-free retail finance – was hacked. On 16 March, they said they believed that the data of around 330,000 people had been accessed. By 27 March, that figure was almost 25 times higher. In a statement to the Australian Stock Exchange (ASX) they admitted the true extent of the breach:
- 7.9 million Australian and New Zealand driver licence numbers.
- 53,000 passport numbers.
- 6.1 million financial records dating back to at least 2005.
In New Zealand, Latitude do business under the name of Gem Finance. They run the Gem Visa card, and provide personal loans to Kiwibank customers under the Gem by Latitude brand, and until recently ran Genoapay, a buy now, pay later business dealing through retailers such as Harvey Norman, Noel Leeming and JB Hi-Fi.
Latitude reckon that around 13% of those 7.9 million hacked accounts belonged to Kiwis. That’s just over a million accounts. But it’s even worse than that. Around a fifth of Kiwis are under 15 so couldn’t possibly have been customers. That just leave four million people, one quarter of who are now at risk of identity theft.
Have you been told yet?
On 11 April, Latitude Managing Director and CEO Bob Belan said, “Our priority remains on contacting every customer whose personal information was compromised and to support them through this process.” That’s almost a month after the hack was first discovered. Many Kiwis are still waiting to hear. I can’t help wondering if it would take Latitude a month to get in touch if you missed a payment?
How did they lose it?
We’ll probably never know they lost so much data, but there was clue in this Radio NZ report from 11 April [my italics]:
[Latitude CEO] Belan said Latitude had been working on safely restoring its IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations.
https://www.rnz.co.nz/news/business/487723/latitude-hack-ransom-demanded-company-says-it-won-t-pay
Complex systems, under-resourcing, inexperienced staff, inadequate testing, inadequate training, outsourcing work, management demands… it’s a familiar picture.
Before that hack, Latitude claimed to have just 2.8 million customers. So how did they lose the data of 7.9 million people? Simply by not throwing anything away. As I’ve pointed out before, storing data is cheap, and you never know when it might come in handy. Like, say, if you wanted to develop an app “that can identify spending patterns that not only show people their past behaviours but can also predict future ones.”
And the headline for that web page? Seriously, you couldn’t make this stuff up…
