Latitude hack prompts possible class action after millions of records stolen

Latitude Financial Services is facing a potential class action over the theft of 14 million consumer records following a cyber attack this month.

Sarah Ison and Joseph Lam

2 min read

7:09PMMarch 28, 2023

Gordon Legal and Hayden Stephens & Associates announced on Tuesday they were exploring a possible class action against Latitude Financial Services.

Latitude Financial Services is facing a potential class action over the theft of 14 million consumer records following a cyber attack this month, as the Coalition says the incident is a “test” for the government’s new laws ramping up maximum fines on companies that fail to protect customer data.

Gordon Legal and Hayden Stephens & Associates announced on Tuesday they were exploring a possible class action against the company, launching an online platform for Latitude customers to register interest in joining the legal suite.

The ASX-listed company on Monday revealed almost eight million Australian and New Zealand drivers’ licence numbers had been stolen, along with more than six million records, 53,000 passport numbers and just under 100 financial documents – some of which dated back to as early as 2005.

James Naughton, a Gordon Legal partner, said the firms would investigate any economic losses or “emotional harm” caused to customers and expected “thousands” of people to register interest in joining a class action.

“It might be the case that for some people it’s an inconvenience or an annoyance; perhaps they don’t have to do anything at all, or all they have to do is change their driver’s licence or update records or something like that … But it might have serious implications for people … who could be exposed to serious harm if their personal information is released publicly,” he told The Australian.

“(This includes those) who don’t want to be contacted or known for legitimate reasons (such as) … victims of domestic violence or other issues.”

Cyber hacks on Crown and Latitude are ‘absolutely concerning'

The Australian Federal Police, which is investigating the breach, confirmed on Tuesday it was trawling the dark web to see whether Latitude customer information was being sold.

“There is no evidence … the personal details of Latitude Services customers are available, or being sold on online or dark web forums,” the AFP said in a statement. “The AFP will take immediate action – through disruption capability or charges – if individuals or groups are selling stolen personal information online.”

Police said Operation Guardian – a taskforce investigating the fallout of the Optus breach in September – had been expanded to take in the Latitude incident.

Slater and Gordon Lawyers confirmed it was monitoring the situation and “particularly concerned by the suggestion some of those affected may have been customers up to 18 years ago”.

A spokesman for the Office of the Australian Information Commission said it had engaged with Latitude and made “preliminary inquiries regarding their cyber security incident”.

Hayden Stephens said the Latitude incident represented “one of Australia’s largest data breaches”, which necessitated an independent investigation into the company and the option for compensation to be explored.

Latitude Financial data breach impacts 7.9 million customers

“Australian laws regulate how companies hold information and how that information is to be used. We’ll be exploring whether there’s been a breach in relation to that and … what steps Latitude had in place to protect information of consumers,” he said.

“In circumstances where we feel there has been a breach by Latitude in its obligations towards customers, the options are, of course, lodging a representative proceeding either with the Privacy Commissioner or through the Federal Court process.”

Mr Stephens and Mr Naughton welcomed new laws that increased maximum penalties from $2.2m to $50m or 30 per cent of a company’s turnover in the relevant period.

Opposition legal affairs spokesman Julian Leeser said laws introduced in September were a “recognition business has a responsibility to do everything it can to keep the data of Australians safe … The Latitude incident will be a test for the new laws.”