• About Us
  • Advertise with Us
  • Contact Us
  • Events
  • Newsletter
  • Podcasts
  • Digital Magazine
  • Home
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability
  • About Us
  • Advertise with Us
  • Contact Us
  • Events
  • Newsletter
  • Podcasts
  • Digital Magazine
NZBusiness Magazine

Type and hit Enter to search

Linkedin Facebook Instagram Youtube
  • Home
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability
NZBusiness Magazine
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability
Technology

The fallacy about data breaches

Kordia regional cyber security business manager Peter Bailey explains why we can’t accept large-scale data breaches as inevitable. In a data-driven world, our personal information is everything. When we hand […]

Glenn Baker
Glenn Baker
May 8, 2023 4 Mins Read
950

Kordia regional cyber security business manager Peter Bailey explains why we can’t accept large-scale data breaches as inevitable.

In a data-driven world, our personal information is everything. When we hand over our credentials and ID to businesses, we are trusting them. We need to have the assurance that they have measures in place to keep our data safe.

Latitude Finance, the parent company of Gem and Genoapay, recently suffered a major cyber breach which saw 14 million customers impacted across both sides of the Tasman. Personal data was stolen, including drivers’ licences, dates of birth, passport numbers, photos and more. Latitude has confirmed it will not be paying a ransom to retrieve the data – it is yet to be seen whether the cybercriminals responsible will start selling it on the dark web.

This is significant for Kiwis. The Office of the Privacy Commissioner says the theft is the largest privacy failure in our country’s history, with estimates that around 13% of the 7.9 million driver’s licenses compromised belonged to New Zealanders – equating to around 20% of our population.

What’s even more concerning is that according to some reports, this wasn’t an overly sophisticated attack. The threat actor simply leveraged an employee’s credentials and logged into not one, but two of the company’s service providers. So how did this happen? How did Latitude’s defences fail to stop this attack? And why was the exfiltration of such a large amount of data not registered until it was too late?

 

A fallacy

It’s a fallacy to believe that data breaches like this one are inevitable. Yes, it’s true that stopping cybercriminals in their tracks is difficult. But I can assure you, there is a lot that organisations can do to mitigate the impacts of a cyber-attack. They can, and should, be taking every possible step to minimise the amount of personal data a cybercriminal can access. This is a basic responsibility for all businesses.

This incident raises questions about how Latitude and similar businesses store customer data. When we provide our information to businesses of Latitude’s scale, can we trust that they have the very best information security practices in place? Can we be confident that they are doing their very best to stop our data being stolen and exploited?

In my opinion, every business should adopt a best practice approach to data protection that sees a layering of various defensive controls – something we call “Defence in Depth”. This means that should one security measure fail, multiple other layers are in place, making it difficult for attackers to penetrate your data and systems. An attacker should never be able to simply log in and take what they want – the aim here is to close off any opportunities for attackers. The name of the game with security is risk mitigation – how many paths can you close off to the attacker to delay or stop them.

Similarly, regular monitoring and logging of the company’s networks and assets should be in place to pick up potentially malicious activity, such as large, unexpected downloads or unusual accessing of sensitive data. This in turn helps mitigate data exfiltration if an attacker does manage to gain a foothold in your systems.

 

The need to review

Speaking of data, the Latitude breach also highlights the need for businesses to regularly review and clean up what information they currently hold. Financial services are required to keep documentation for at least seven years, but with Latitude holding information from more than ten years ago, it has unnecessarily impacted a huge number of livelihoods. This is a lesson to remind businesses that any data should be promptly deleted once it is no longer needed. 

Are businesses motivated enough to care?

What are the consequences of this breach for Latitude? Under New Zealand’s Privacy Laws, Latitude may be liable for an NZD$10,000 fine – but only if they fail to adequately disclose a notifiable breach within a sufficient timeframe.

Compare this to other legislation. If this breach had taken place in the jurisdiction of the European Union, under GDPR Latitude could have faced fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. With Latitude reporting a total revenue of AUD$927.8 million in 2022, that equates to approximately AUD$37 million (or NZD$40.3 million).

 

Enough consequences?

Sure, Latitude will suffer reputational damage, and they’ve offered to wear the cost of replacement licenses and passports for affected customers. There are also murmurings of a potential class action lawsuit. But one must wonder whether there are enough consequences to motivate big businesses to truly invest in cyber security to a level that matches the risk their customers face when handing their data over.

If the cost of appropriately securing your business against cyber breaches is significantly lower than the cost of dealing with the fallout of a breach, it’s easy to see how profit-driven businesses might simply wear the risk of an attack, rather than spend up large on cyber security.

The Latitude cyber-attack should be a wake-up call for businesses, and consumers need to send a clear message that this type of breach is not acceptable.

It’s imperative that any business that collects personal data understands that cyber security isn’t just a business cost – it’s a must do, for the sake of protecting all New Zealanders.

 

Peter Bailey pictured below.

Share Article

Glenn Baker
Follow Me Written By

Glenn Baker

Glenn is a professional writer/editor with 50-plus years’ experience across radio, television and magazine publishing.

Other Articles

Employee Perks
Previous

Less a recession, more a perk-cession

Boxers
Next

The journey to cyber security maturity, resilience

Next
Boxers
May 8, 2023

The journey to cyber security maturity, resilience

Previous
May 7, 2023

Less a recession, more a perk-cession

Employee Perks

Subscribe to our newsletter

NZBusiness Digital Issue – March 2025

READ MORE

The Latest

From redundancy to resilience

May 16, 2025

Episode 16: Bryce Marsden on sustainable impact through education, youth and environment

May 15, 2025

The high cost of leadership neglect

May 14, 2025

Why making Auckland a Tech Hub makes sense

May 14, 2025

Is AI making us happier? Why some Kiwi leaders would trade coffee for Generative AI

May 13, 2025

Step back to move forward – how Kiwi business owners can unlock growth

May 12, 2025

Most Popular

NZBusiness Digital Issue – June 2024
Understanding AI
Navigating economic headwinds: Insights for SME owners
How much AI data is generated every 60 seconds? New report reveals global AI use
Nourishing success: Sam Bridgewater on his entrepreneurship journey with The Pure Food Co

Related Posts

Why making Auckland a Tech Hub makes sense

May 14, 2025

Is AI making us happier? Why some Kiwi leaders would trade coffee for Generative AI

May 13, 2025

Samsung CSP: Leading the way in tech repairs across New Zealand

May 12, 2025

Cyber security in 2025: A guide on how to protect your business

April 22, 2025
NZBusiness Magazine

New Zealand’s leading source for business news, training guides and opinion from small businesses to multi-national corporations.

© Pure 360 Limited.
All Rights Reserved.

Quick Links

  • Advertise with us
  • Magazine issues
  • About us
  • Contact us
  • Privacy policy
  • Sitemap

Categories

  • News
  • Entrepreneurship
  • Growth
  • Finance
  • Education & Development
  • Marketing
  • Technology
  • Sustainability

Follow Us

LinkedIn
Facebook
Instagram
YouTube
  • Home
  • News
  • Opinion
  • Entrepreneurship
  • Self Development
  • Growth
  • Finance
  • Marketing
  • Technology
  • Sustainability