An investigation has been launched into the Latitude data breach last month which has been described as a "significant attack" with an "appalling result".
Last month, Australian financial services firm Latitude said more than 14 million Australian and New Zealand driver's licenses, passports and other personal details were stolen in a cyber attack.
In a statement to the Australian Stock Exchange, it said a ransom, which it did not detail, had been demanded from the attackers.
This has seen a joint privacy investigation between the Office of the Privacy Commissioner and the Office of the Australian Information Commissioner (OAIC) launched, which comes after preliminary inquiries into the matter by both offices.
This is the first joint privacy investigation by Australia and New Zealand and reflects the impact of the data breach on people in both countries.
"This is a significant attack with an appalling result. I want to thank the affected customers who have been in contact with us so far. Thank you for your patience and for sharing your experiences with us," Deputy Privacy Commissioner Liz MacPherson said.
"There is a human cost to a breach. We have former customers of Latitude who took a loan to buy a fridge about 15 years ago and now part of their identity is being held for ransom. We will be asking the same questions these customers are. Could Latitude have done anything to prevent the hackers getting in and stealing information? What reasons does Latitude have for holding onto the personal information of past customers for such long periods?"
The investigation will focus on whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.
It will also consider whether Latitude took appropriate steps to destroy or de-identify personal information that was no longer required.
MacPherson said the investigation will also focus on how the hackers gained entry to Latitude Financials' systems, how long they were inside before they were noticed, what Latitude's staff did when they discovered the attack and the security and storage of that information within its IT systems.
"This information will help us to establish whether Latitude's actions or inaction enabled the cyber-criminals and contributed to the scope and impact of the breach. Establishing these facts will be critical to our ability to make decisions about the individual complaints that are made to us by impacted Latitude customers," MacPherson said.
"We are still encouraging affected customers to contact Latitude Financial and ID Care for support first. They have made commitments to assist impacted customers. If you complain to Latitude and you haven't heard back from them within 30 working days, then we encourage affected customers to make a complaint to us.
MacPherson thanked Latitude for its "constructive engagement" and expects the breach, New Zealand's largest, to have caused "emotional stress" for staff and the Board.
"We also want to know the types of impact and harm people have suffered because of this breach (e.g. examples of harm like identity theft, credit difficulties, undue stress etc)," MacPherson said.
"We have set up an email for affected customers to contact our team easily. Can you please contact us at latitude.breach@privacy.org.nz "
MacPherson urges anyone coming across the Latitude Financial data to not spread it.
"Do not access it. Do not spread it. Do not share it. Report it to the New Zealand Police. Report it to us or you can report it to CERT. No one should contribute to its dissemination and increase the anxiety and distress of the affected individuals."
People should be on the lookout for anything out of the ordinary.
"Be hyper-vigilant. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source."
