The Latitude hack exposed personal details of millions. Are our data laws too lax?

Latitude Financial is the latest company to suffer a large-scale data breach. This is what experts say needs to change to ensure our data is better protected.

A person typing on a computer.

The scale of a hack on lender Latitude Financial is much worse than previously reported. Source: AAP

Key Points
  • Latitude Financial has suffered a large-scale data breach that has affected millions of customers
  • The cyber security minister says cyber attacks are a "growing threat".
  • Companies storing unnecessary data leaves people vulnerable to hacks, an advocate says.
Latitude Financial says that 7.9 million Australian and New Zealand drivers licence numbers were stolen in a hack earlier in March, a number far higher than initially estimated.

The non-bank lender, which offers loans, insurance and credit cards, said an additional 6.1 million records, including names, addresses, telephone numbers and dates of birth that were provided to the company dating back to "at least 2005" were also stolen in .

The hack has highlighted some of the vulnerabilities in Australian data privacy laws, which have limited ability to protect consumer data, experts say.

A similar hack could happen again partly because the punishments for companies are not strong enough, Swinburne University lecturer on data privacy Belinda Barnet said.

“It could definitely be better regulated, with heavier fines for companies. It’s small change for a large company that has breached the privacy of millions of people and if you have a strong deterrent, then it's an incentive for companies to protect the data," Dr Barnet said.

“There should be regulation, so that the onus is on the company to have the strongest protections they can possibly afford for consumers’ private data. The onus shouldn’t be on customers to protect their own data and clean up the mess after a hack."
Latitude Financial’s revelation comes after a series of high-profile cyber attacks in Australia over the past 12 months targeting large companies, including and .

In September, hackers stole data from telco Optus including the user names, dates of birth, phone numbers, email addresses, drivers licence numbers, passport numbers or addresses of

And following a large-scale attack on Medibank in October, which involved publishing health records and private details of more than 40 per cent of the population, the federal government said it would "" and set up a new policing model involving 100 officers.

Latitude Financial disclosed on 16 March that it had detected a "sophisticated and malicious cyber-attack" on its systems a few days earlier, but at the time thought it involved hundreds of thousands of customer records, not millions.

The company has agreements with retailers including JB Hi-Fi, The Good Guys and Harvey Norman.
Some 53,000 passport numbers were stolen and fewer than 100 customers had a monthly financial statement stolen, the company told the ASX.

"We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation," the firm said.

Latitude will reimburse customers if they choose to replace their identity document, the company said.

How has the government responded?

Cyber Security Minister Clare O’Neil on Monday said the Latitude hack was “deeply concerning”.

Ms O'Neil acknowledged that cyber attacks are “a growing threat and will become a more routine part of our lives for years to come.”

"On 16 March the Federal Government convened the National Coordination Mechanism to bring together agencies across the Commonwealth, states and territories to ensure that all possible support is being provided to Latitude Financial and all those customers whose personal information has been stolen," she said.
A woman wearing a pale yellow jacket
Minister for Cyber Security Clare O’Neil said the government shares the frustration and concern of Australians. Source: AAP / Dean Lewins
Ms O’Neil said the government had last month announced a Coordinator for Cyber Security, supported by a National Office for Cyber Security within the Department of Home Affairs, “to ensure a centrally coordinated approach to deliver the Government’s cyber security responsibilities.”

The federal government is working with states and territories to mitigate the impacts of licences being compromised, she said.

How safe is our data?

It's a problem that nobody knows how safe their data is, according to Australian Privacy Foundation board member Jodie Siganto.

“We rely on organisations and government agencies to keep data safe but we have very little information about how they do it," Dr Siganto said.

“There's no base level cybersecurity system that is regulated and rolled out for companies. So if that was introduced it could give people some comfort to the ways that Australian organisations look after the data that they hold."

Dr Siganto said some of the high-profile hacks we’ve seen "are not very sophisticated and could definitely happen again".

"They’re due to internal failures of proper control," she said.

"I don’t think the companies that got hacked are that much worse with data than many other companies."
Attorney-General Mark Dreyfus has committed to modernising the Privacy Act and has said he is considering the right for individuals to sue following data breaches, which does not currently exist in Australian law.

Last year legislation was introduced to increase penalties for serious or repeated data breaches from $2.2 million to whatever is the highest of the following options: $50 million, three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.

Digital Rights Watch executive director James Clark said the Privacy Act needs to afford individuals much stronger protections.

“One of the best defences that we have against other breaches is to not collect unnecessary data to begin with," he said.

"We really need a Privacy Act that makes it really clear that data minimisation and not collecting this information to begin with is the preference.

There are "some serious questions here that people should be asking about why Latitude kept all of that data", Mr Clark said.

"Once you've identified someone do you really need to keep a copy of that record? Why does it need to be kept for over a decade?"

Share
6 min read
Published 28 March 2023 6:44am
Updated 28 March 2023 10:57am
By Madeleine Wedesweiler
Source: SBS News



Share this with family and friends