Don’t just think about it as being a risk for your clients, it’s a risk for you… As a responsible lawyer in practise you need to ensure that your outsource providers take cybersecurity seriously.
Australian financial services firm Latitude has confirmed approximately 333,000 customers and applicants have had their personal information stolen in the latest cyber-attack. Latitude has taken its platforms offline as the hack remains active, and the Australian Federal Police is currently investigating the attack.
Latitude announced the detection of unusual activity on their systems on 16 March 2023. Since then, they have discovered the extent of the theft includes information concerning customer’s drivers’ licences, passports, and Medicare details.
In an ASX announcement on 20 March 2023, Latitude revealed that 96 per cent of the information stolen was copies of customers’ drivers’ licences or driver licence numbers, less than four per cent was copies of passports or passport numbers and less than one per cent was Medicare numbers.
Latitude said, “In conjunction with our cybersecurity experts, we are continuing our forensic review of our IT platforms to identify the full extent of the theft of customer information as a result of the attack on Latitude”.
“As our review deepens to include non-customer originating platforms and historical customer information, we are likely to uncover more stolen information affecting both current and past Latitude customers and applicants,” the company said.
Rob Nicholls, Associate Professor of Regulation and Governance at the University of New South Wales Business School, said there are two ways this incident can be distinguished from the Optus and Medibank Private data breaches.
“The first is that it’s a financial services business so there is a different level of a trust expectation,” said Nicholls.
“The second is that Latitude has been very clear that this is not a Latitude system that’s been breached, it’s two separate service providers,” he said.
Nicholls explained that this creates issues because the breach occurred in a part of the business that Latitude had no control over. Despite this, the case law indicates that Latitude will likely be held liable.
“I think there’s a reasonable amount of case law to say that it doesn’t matter if you’ve outsourced, you’ll still be held liable,” he said.
“Latitude, as a financial services licensee and credit provider, has a responsibility for that breach.”
Nicholls highlighted that lawyers cannot rely on shifting responsibility through contract.
“If you’re advising a client and the client says they’ve outsourced to a service provider and gotten them to agree that it’s their responsibility, that might be the case contractually but in terms of governance it hasn’t solved anything,” said Nicholls.
Nicholls also encouraged lawyers to consider another hacking incident that occurred on the same day as Latitude.
On 16 March 2023, IPH advised that there had been an unauthorised access to the company’s IT environment three days prior. The incident was primarily limited to the document management systems of two IPH member firms – Spruson & Ferguson and Griffith Hack.
“Essentially, the two leading patent attorney firms in this country chose IPH as their outsource provider and IPH has been hacked,” said Nicholls.
“Don’t just think about it as being a risk for your clients, it’s a risk for you.
“As a responsible lawyer in practise you need to ensure that your outsource providers take cybersecurity seriously.”
Principal of Data Synergies Pty Ltd and UNSW Business School Professor of Practice Peter Leonard said that excessive retention of personally identifying data is often at the root cause of these data breaches.
“Many cyber-attacks exploit the unfortunate fact that many organisations do not destroy, or securely warehouse, personal data that is no longer required for the purpose for which it was collected,” he said.
“A common element of the Optus data breach and the Latitude data breach appears to be that primary documents used for identity verification were retained long after those documents had been used for verification that a prospective customer is who they say they are.”
Leonard encouraged lawyers to help organisations understand their legal obligations to minimise the collection of personal information to only what is required and to destroy information where it is no longer needed.
“If it can’t be destroyed because of legal obligations to retain records, at least take these records off more generally available online access within an organisation and warehouse them in a more secure and controlled environment, accessible only by specially authorised records managers,” he said.
When asked why data breaches are on the rise, Leonard said that it was due to a combination of factors. First, hackers have become more sophisticated, particularly in how they select their targets.
“In essence, the nature of Latitude’s business requires it to undertake identity verification of customers of a number of large retailers,” said Leonard.
“Accumulations of identity information at one point provide a richer target – what some people might call ‘a honeypot’ – for hackers than trying to hack multiple individual retailers.”
The other aspect that’s changed in recent years is that certain countries have chosen to distance themselves from the global criminal enforcement community explained Leonard.
“Russia in particular, is one of the countries where these hackers are allegedly active. For obvious reasons, Russia is not very motivated to control activities of cybercriminals targeting businesses in nations that are allies of the Ukraine,” he said.
“The other thing that’s changed is that there’s money to be made as people are paying ransoms. The more people pay ransoms, the more it encourages hackers to get information and seek ransoms.”
The outgoing Minister for Customer Service in NSW Victor Dominello has spoken about the potential role of government to provide assured identity services going forward.
“Government should play a key role in building national cyber-resilience of organisations, including businesses. Governments are already working on resolving identity of citizens across multiple government agencies and services, so that citizens only need to ‘tell government once’, and not need to enter the same information and verify identity in multiple places,” Leonard said.
“Federal and State Governments can leverage their technical solutions for ‘tell us once’, and for single point verification of identity, to provide cyber-resilience services for other organisations. This would be good for national security, and also particularly of value to SMEs, who are struggling to keep up with the evolving technical sophistication of the cybercriminals.
“I expect that Federal and State Governments will become a key provider of cyber-resilience capabilities to other organisations, and that this activity will quickly build momentum the next 6 to 24 months.”