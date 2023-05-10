Australian and New Zealand privacy authorities have begun a joint investigation to how the Latitude companies handled sensitive personal information, following the devastating data breach the financial group discovered in March this year.

The company's services are used by large retailers such as Harvey Norman and JB Hi-Fi, and Latitude was subjected to extortion by the ransomware attackers, but refused to pay them.

Vast amounts of personal data and identity documents were copied over by the hackers in the attack, and the privacy watchdogs in Australia and New Zealand now want to know if Latitude took resonable steps to protect the information from "misuse, interference, loss, unauthorised access, modification or disclosure."

The watchdogs will also look into if Latitude took reasonable steps to destroy or de-identify data no longer required.

This is the first time the Office of the Australian Information Commissioner and the New Zealand Office of the Privacy Commissioner have collaborated in an investigation, and it reflects the impact the data breach on individuals in both countries, the watchdogs said.

Six companies will be investigated:

Latitude Financial Services Australia Holdings Pty Ltd

Latitude Finance Australia

Latitude Personal Finance Pty Ltd

Latitude Automotive Financial Services Pty Ltd

Hallmark General Insurance Company Ltd

Hallmark Life Insurance Company Ltd.

If the investigation finds that Latitude has breached one or more of the Australian Privacy Principles, the OAIC and OPC could make a determination that the consumer finance company must ensure the hack doesn't happen again, and redress any loss or damage.

Should serious, and/or repeated interferences with Australian privacy law be found, the Commissioner has the power to seek civil penalties at the Federal Court, of up to A$50 million for each contravention.