Latitude hack: Thousands of requests to replace driver licences after Genoapay, Gem customer data breached

The disastrous data breach affected millions of people including customers of Genoapay. Photo / Dean Purcell

Thousands of Kiwis have requested replacement driver licences after the disastrous Latitude Financial data breach.

A Wellington customer who had her data stolen in the March 12 hack said the situation was disturbing.

“Everything I touch I’m now paranoid about.”

She took out a loan in 2019 and then heard about the data theft in March.

“The company said it was alerting people and because I heard nothing, I assumed I had been lucky. Until last week.”

She received a letter in May saying her data was stolen but without specifying what had been compromised.

“I couldn’t even remember whether I’d sent them my driver’s licence or passport but then found I’d sent them my licence as well as bank account numbers.”

She was one of the customers alerted on May 5 to the news even more personal data had been stolen.

“It sounds like Latitude don’t have much idea about who’s had what stolen.”

She was one of the thousands of Kiwis now requesting a new licence.

“It’s a f*****g rigmarole.”

Waka Kotahi NZTA confirmed many people citing the hack had been in touch to get replacements.

“After being alerted that driver licence data was stolen from Latitude Financial Services, Waka Kotahi began tracking requests for replacement driver licence cards,” a transport agency spokeswoman said.

“As of May 10, we have processed approximately 6000 driver licence card requests specifically due to the Latitude incident, and requests continue to be received.”

Replacement licences will have the same licence number but a new version number, NZTA said.

The version number is a critical part of the driver licence number, akin to the three-digit CVV number on credit cards.

The Office of the Privacy Commissioner and the Australian Information Commissioner this week announced a joint privacy investigation into the data breach.

It is the first joint privacy investigation by Australia and New Zealand.

The privacy commissioners said the bilateral effort reflected the serious impact of the data breach on people in both nations.

Latitude has said an attacker or attackers used compromised login credentials, obtained through a third party, to access Latitude’s network and steal personal information.

Latitude in late March said data of 7.9 million New Zealand and Australian drivers’ licences was stolen.

The company included the Genoapay and Gem services.

Australian law firm Gordon Legal, along with Hayden Stephens and Associates, is investigating a potential lawsuit against Latitude Financial.

The law firm said it might sue the finance company “for serious security breaches which have compromised the personal information of past and present customers”.