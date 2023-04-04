Liz MacPherson (Office of the Privacy Commissioner) Credit: Supplied

NZ's deputy privacy commissioner is describing data retention as the "sleeping giant" of cyber security as fallout from the Latitude Financial breach spreads.

Forensic analysis showed of the 14 million New Zealand and Australian records taken in the hack, 6.1 million were over 10 years old and some were at least 18 years old.

Over a million drivers’ licences as well as passports had been exposed as part of the attack as well as people’s passports, marking data retention as an emerging issue.

“There are consequences for holding onto data you no longer need," deputy privacy commissioner Liz MacPherson said. "All businesses and organisations can learn from this: don’t collect or hold onto information you don’t need.

"The risk is simply too high for your customers and your organisation. Don’t risk being a hostage to people who make it their day job to illegally extract data.”

A key finding from a NZ Institute of Directors director sentiment survey released late last year was that a significant proportion of boards were not sufficiently prepared for a digital future and had an “it won’t happen to us” approach.

Agencies should not be collecting or retaining personal information unless it was necessary for a lawful purpose connected with their function or activity, MacPherson said. All agencies should have a personal information retention schedule that they reviewed regularly.

The discipline of deciding how long information will be retained as it is collected and acting on these decisions would save organisations and their customers a lot of pain.

The Office of the Privacy Commissioner also encouraged individuals to challenge agencies on why they needed to collect and retain their personal information.

“If ID is being used as means of verification, ask why it needs to be collected or copied rather than simply sighted and recorded," MacPherson said.

"If your information is being collected, ask how long it will be kept for and why."

Since the commissioner was first notified of the breach on March 16, the size and scale of the data theft had grown dramatically.

“We are continuing to engage with Latitude Financial and our Australian counterparts to understand the nature, causes and consequences of the breach," MacPherson said. "Unfortunately, the true scale of cyber-security breaches can take some time to be revealed."

The Office of the Privacy Commissioner wanted answers to some key questions, including how the cyber-criminal got in, how they managed to penetrate so far and why so many records have been retained for so long.

Latitude Financial was progressively contacting all affected customers who had their personal data stolen to tell them what has been stolen and how Latitude could assist.

“It is Latitude Financial’s responsibility to put things right," MacPherson said. "It is important that affected customers give Latitude a chance to make good on their commitments to provide support.

"However, if after people have worked with Latitude their privacy harms have not been resolved to their satisfaction, we encourage them people to make a complaint to our office.”

For now, customers had to be hyper vigilant, keeping a close eye on their accounts for unusual activity, working with their banks and telco providers, considering a check on their credit records and using tools such as IDCare.