Class action looms for Latitude data breach

Law firms Gordon Legal and Hayden Stephens and Associates have announced they are investigating a potential legal action against Latitude Financial, for the massive data breach that includes personal data for customers stretching back to 2005.

Earlier in the week Latitude confirmed that the stolen data includes 7.9 million driver’s license numbers; 53,000 passport numbers; and 6.1 million customer records which include personal information (name, address, telephone, date of birth).

The breach has affected millions of past and present customers of Latitude Financial and is one of the biggest in Australian history. More information about the breach is still being uncovered, but as of 27 March 2023, it is estimated that the private data of up to 8 million past and current customers has been stolen.

“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly,” said Latitude’s chief executive, Ahmed Fahour.

Gordon Legal partner James Naughton said the firm was investigating how a breach of this size could occur, including the effectiveness of Latitude’s security measures.

​“Latitude customers deserve to understand their legal rights and the steps that have been taken to protect their personal data,” he said.

The Office of the Australian Information Commissioner (OAIC) has announced is making “preliminary inquiries.”

The fact that customer data from 18 years ago was included in the breach will no doubt come under scrutiny.

In an earlier statement to the Australian Stock Exchange, Latitude stated that the breach extends to previous applicants and customers who may have closed their account as it “is required to retain account records for at least 7 years after an account is closed. This is to comply with Anti-Money Laundering and counter-terrorism financing laws.”

Under the Australian Privacy Principles (APPs), guidelines used by the Office of the Australian Information Commissioner (OAIC), Principle 11.2. states that "entities must also take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs".

The Latitude breach is now one of the biggest in Australian history. It follows a string of other breaches, including attacks on Medibank and Optus. Other law firms are also investigating potential class actions over these breaches.

Earlier this week, Crown Resorts, Australia's largest casino operator, was targeted by a ransomware group that claims to have accessed some of the company's files following a data breach at its file transfer service.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 substantially increased the fine for Australian companies that breach the privacy of their customers or clients, with the maximum fine of $A2.5 million increased to $A50 million, or 30 percent of its adjusted turnover for the financial year, whichever figure is higher.