From:
Julia Wootton
To:
Cristian Cornejo
Cc:
John Crawford-Smith
Subject:
FW: Data breach wording
Date:
Tuesday, 21 March 2023 4:18:34 pm
Attachments:
LFS ASX cyber update 200323.pdf
Hi Cristian,
I am working with Latitude to line up the responses to the NewsHub query – just FYI attached is
the ASX press release from yesterday they have supplied.
As soon as I hear back I’ll send back the updated response
Thanks
Julia
under the Official Information Act 1982
Released
Latitude Group Holdings Ltd
ACN 604 747 391
Level 18, 130 Lonsdale St,
Melbourne VIC 3000
latitudefinancial.com
20 March 2023
ASX ANNOUNCEMENT
1982
Cybercrime update
Latitude Financial (ASX: LFS) announced on 16 March 2023 that it had detected unusual activity on its systems
Act
which it can now confirm as a sophisticated, well-organised and malicious cyber-attack which remains active.
We recognise the distress to our customers caused by the theft of their personal information and we are committed
to transparently updating our customers, partners, employees and the broader community.
Latitude immediately engaged leading external cyber security experts, the Australian Cyber Security Centre, the
Australian Federal Police and other relevant Government agencies.
The attack on Latitude is now the subject of an investigation by the Australian Federal Police.
Our people are working around the clock to contain the attackers. We have taken the prudent action of isolating
some of our technology platforms which means that we are currently not onboarding new customers.
Because the attack remains active, we have taken our platforms offline and are unable to service our customers and
Information
merchant partners. We cannot restore this capability immediately, however we are working to do so gradual y over
the coming days and ask our customers for their continued patience. Our restoration of these services is aligned to
our forensic review.
In conjunction with our cyber-security experts, we are continuing our forensic review of our IT platforms to identify
the full extent of the theft of customer information as a result of the attack on Latitude.
So far, Latitude can confirm that:
Official
•
As previously disclosed, approximately 330,000 customers and applicants have had their personal
information stolen
•
Approximately 96% of the personal information stolen was copies of drivers’ licences or driver licence
numbers
the
•
Less than 4% was copies of passports or passport numbers
•
Less than 1% was Medicare numbers
As our review deepens to include non-customer originating platforms and historical customer information, we are
likely to uncover more stolen information affecting both current and past Latitude customers and applicants. We will
provide a further update when we have more information to share.
Latitude encourages our customers to remain vigilant. We wil never contact customers requesting their passwords.
under
From today, Latitude wil commence contacting customers and applicants who have so far been impacted by this
criminal act, having already written to all our customers on Thursday 16 March 2023 to alert them to the cyber-
attack.
Latitude wil confirm to each impacted customer and applicant what personal information has been stolen, what we
are doing to support them and what additional steps customers should consider taking to further protect their
information. This includes Latitude working with relevant agencies to replace identification documents, where
necessary, at no cost to our customers.
We have engaged IDCARE to help support those impacted. IDCARE is a not-for profit organisation and Australia and
Released
New Zealand’s national incident response service specialising in providing free, confidential cyber incident
information and assistance. Impacted customers and applicants wil be able to contact IDCARE during business
hours on 1800 595 160.
As of today, Latitude has established dedicated contact centres for impacted customers in Australia and New
Zealand to answer queries, as well as a dedicated help page on our website to keep customers and partners fully
informed of developments.
Once the cyber-attack is contained, Latitude commits to a review of this incident. This review will help Latitude to
most effectively safeguard our customers, partners and platforms, while contributing to the continued fight against
cyber-crime on Australian businesses.
Latitude is stil assessing the anticipated total cost to it of this incident, including the cost to Latitude of the support we
intend to provide our customers as described in this announcement.
Latitude maintains insurance policies to cover risks, including cyber security risks, and we have notified our insurers
in respect of the incident.
Latitude Financial Services CEO Ahmed Fahour said:
1982
“I sincerely apologise to our customers and partners for the distress and inconvenience this criminal act has
caused. I understand ful y the wider concern that this cyber-attack has created within the community.
Act
“Our focus is on protecting the ongoing security of our customers, partners and employees’ personal and identity
information, while also doing everything we can to support customers and applicants who have had information
stolen.
“While we continue to deliver transactional services, some functionality has been affected resulting in disruption. We
are working extremely hard to restore full services to our customers and merchant partners and thank them for their
patience and support. We understand their frustration. Customers should refer to Latitude’s website for regular
updates.”
Authorised for release to the ASX by the Company Secretary, Vicki Letcher.
For further information:
Media
Investor Relations
Information
Mark Gardy
Matthew Wilson
+61 412 376 817
+61 401 454 621
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
From:
Cristian Cornejo
To:
Julia Wootton; Maria Robertson
Cc:
John Crawford-Smith; Media Internal Affairs; Sean O"Neill
Subject:
RE: Newshub
Date:
Tuesday, 21 March 2023 4:20:14 pm
Attachments:
image001.png
image002.png
Got it, Julia. Thanks!
1982
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Act
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Julia Wootton <[email address]>
Sent: Tuesday, 21 March 2023 4:20 pm
To: Cristian Cornejo <[email address]>; Maria Robertson
<[email address]>
Cc: John Crawford-Smith <[email address]>; Media Internal Affairs
<[email address]>; Sean O'Neill <Sean.O'[email address]>
Official
Subject: RE: Newshub
I am working with Latitude now to align our messaging to the last question – I’ll confirm asap
the
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 4:19 pm
To: Maria Robertson <[email address]>; Julia Wootton
<[email address]>
Cc: John Crawford-Smith <[email address]>; Media Internal Affairs
under
<[email address]>; Sean O'Neill <Sean.O'[email address]>
Subject: FW: Newshub
Importance: High
Kia ora Julia and Maria,
Please see below a draft response to
media enquiry about the Latitude
Financial Services data breach for your comments and approval.
This is the second enquiry that I told you about on my previous email.
Released
I’d appreciate if you could get back to us asap on this, as this enquiry has a deadline of
4:30pm today.
A big thank you to @John Crawford-Smith who put together all the info for the response.
-STARTS-
Kia ora
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia Wootton, 1982
General Manager Services and Access at Te Tari Taiwhenua Department of Internal Affairs.
1.
Why is it considered safe to continue using a passport if the details of this have been
stolen?
Act
We have assessed the risk and determined that people do not need to apply for a new
passport.
Our Department has robust controls that protect passports from identity takeover, including
sophisticated facial recognition technology. This means people cannot get a passport in someone
else’s identity, even if they have their passport details.
It is also not possible to use passport details to travel in someone else’s identity. For
someone to travel using another person’s passport information, they would need the actual
passport, not just the passport details.
People wanting to find more information about what to do if their passport was affected by
the Latitude Financial Services data breach can visit passports.govt.nz/latitude-financial-services-
Information
data-breach/
2.
Is it still possible that impacted customers will need to replace their passports
eventually?
If the passport has been renewed since they provided it to Latitude, there is no need no
need to do anything.
If they have not renewed their passport, there is also no need to replace their passport if it is
Official
still valid.
If someone chooses to replace their passport, the previous one will be cancelled once the
Department receives the application.
Note that a cancelled passport cannot be used for travel or identification purposes. The
the
person will need to wait until a replacement passport has been issued.
3.
How many NZ based customers of Latitude and associated businesses have been
affected by the cyber-attack according to what Latitude has told the DIA ?
We are working closely with Latitude to identify impacted passport holders.
under
Ngā mihi,
-ENDS-
Thanks!
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Released
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
1982
From:
Act
John Crawford-Smith <[email address]>
Sent: Tuesday, 21 March 2023 2:37 pm
To: Cristian Cornejo <[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: RE: Newshub
Kia ora Cristina,
Refer to https://www.passports.govt.nz/latitude-financial-services-data-breach/
1.
Why is it considered safe to continue using a passport if the details of this have been
stolen?
Information
If the passport has been renewed since they provided it somewhere there is no need no
need to do anything.
If they have not renewed their passport, there is also no need to replace their passport if it is
still valid.
If someone chooses to replace their passport, the previous one will be cancelled once the
Department receives the application.
Official
Note that a cancelled passport cannot be used for travel or identification purposes. The
person will need to wait until a replacement passport has been issued.
the
The Department has robust controls that protect passports from identity takeover, including
sophisticated facial recognition technology.
Someone would need the actual passport, not just the passport details.
If someone’s passport has been lost or stolen, the person must let the Department’s
Passport Office know as soon as possible so we can cancel the passport and protect the
person from any misuse.
under
2. Is it still possible that impacted customers will need to replace their passports eventually?
Refer above
3.
How many NZ based customers of Latitude and associated businesses have been affected
by the cyber-attack according to what Latitude has told the DIA ?
It is currently 1342
Released
Regards
John Crawford-Smith | Principal Advisor
Te Pāhekoheko| Operations
Kāwai ki te Iwi| Service Delivery and Operations
Te Tari Taiwhenua | Department of Internal Affairs
M:
www.dia.govt.nz
1982
Logo-test
Act
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 2:21 pm
To: John Crawford-Smith <[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: FW: Newshub
Hi John,
We got some additional questions about the Latitude date breach from another journalist at
Newshub.
Information
The good news is these seem to be a lot more straightforward than the previous ones.
Can you please consider these ones as well while you work to answer the ones we sent to you
earlier?
The deadline for these ones is 4:30pm today. If you think we won’t be able to meet the
deadline, let me know with time and we’ll message the journalist asking for more time.
1. Why is it considered safe to continue using a passport if the details of this have been stolen?
Official
2. Is it still possible that impacted customers will need to replace their passports eventually?
3. How many NZ based customers of Latitude and associated businesses have been affected by
the
the cyber-attack according to what Latitude has told the DIA ?
Cheers,
Cristián Cornejo
under
(he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Released
1982
From: Media Internal Affairs <[email address]>
Sent: Tuesday, 21 March 2023 2:06 pm
To: Cristian Cornejo <[email address]>
Act
Subject: FW: Newshub
From:
@discovery.com>
Sent: Tuesday, 21 March 2023 1:44 pm
To: Media Internal Affairs <[email address]>
Subject: Newshub
Hi guys,
Information
I have a query in relation to the cyber attack on Latitude Financial.
Below is a statement given to a NZ customer of Latitude finance company Gem citing some
information from DIA.
1. Why is it considered safe to continue using a passport if the details of this have been stolen?
Official
2. Is it still possible that impacted customers will need to replace their passports eventually?
3. How many NZ based customers of Latitude and associated businesses have been affected by
the
the cyber attack according to what Latitude has told the DIA ?
Please come back to me by 430.
Cheers
under
On 16 March 2023, Latitude Financial
Services
(Latitude)1 advised all customers and the market that it
was responding to a malicious cyber-attack that resulted in the
theft of personal information.
Regrettably, we are writing to you today to confirm that some of
your personal information has been stolen.
Released We sincerely apologise that this happened. Protecting your
personal information is of the utmost importance to Latitude and
we are taking all necessary steps to secure our platforms.
This letter explains what happened, how we have responded
and outlines further precautionary steps you can take to lower
the risk of your information being potentially misused.
1982
What happened?
Latitude is experiencing a malicious cyber-attack that has
resulted in a data theft.
Act
While Latitude took immediate action, we understand that the
attacker, via a vendor, was able to steal Latitude employee login
credentials before the incident was contained. The attacker
appears to have used the employee login credentials to steal
personal information.
We have alerted and are working with relevant authorities and
law enforcement agencies, including the Australian Cyber
Security Centre, as well as external cyber security experts.
Information
Latitude also notified the Office of the Privacy Commissioner
(OPC) about this incident on 16 March 2023. You have the right
to make a complaint to the
OPC. They are contactable at their
website here privacy.org.nz.
What kind of information has been impacted?
Official
We have so far identified that the incident has resulted in the
following kinds of your personal information being compromised.
We collected this information from you at the time you applied for
the
credit or sought a quote from Latitude so we could verify your
identity.
· The passport information you supplied which, where
applicable, included your photograph, full name, date
of birth, passport number and dates of issue and
under expiry.
· The personal information you supplied during your
application or quote request which, where applicable,
included your full name, address, and date of birth,
and your phone number.
· A photograph of your face provided as part of Latitude’s
identity verification process.
Steps we are taking to help you
Released
Replacement of identity documents
We are currently working with government agencies on the
process to replace your stolen identity document (where
necessary) at no cost to you. In respect of any necessary
replacement of New Zealand driver licences, we are not yet
ready for you to contact the Waka Kotahi NZ Transport Agency.
We are working as quickly as possible. We will write to you to
1982
provide tailored information depending on the information stolen
and the requirements of the Waka Kotahi NZ Transport Agency.
Important: We are also working with government to determine
Act
which identity documents need to be replaced.
· You may not need to replace your driver licence if only
some details are impacted, rather than a full copy or
image of your driver licence.
· You may also not need to replace your identity document
if you have renewed or replaced it since the time that
you provided it to us.
· For New Zealand passport holders involved in this
incident, the Department of Internal Affairs (DIA) has
confirmed that impacted passports are still safe to use.
Information
Further information is available at passports.govt.nz
--
Official
wbd.com
the
under
Released
From:
Cristian Cornejo
To:
Julia Wootton
Subject:
RE: Latitude/DIA media management
Date:
Tuesday, 21 March 2023 4:25:55 pm
Attachments:
image001.png
Will do.
1982
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
Act
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Julia Wootton <[email address]>
Sent: Tuesday, 21 March 2023 4:22 pm
To: Cristian Cornejo <[email address]>
Subject: FW: Latitude/DIA media management
FYI – here is the contact at Latitude. I need to attend a meeting, could you please make contact
about the wording for that last question from NewsHub?
Official
From: Cutt, Brendon (Latitude Financial) <[email address]>
Sent: Tuesday, 21 March 2023 4:18 pm
the
To: Julia Wootton <[email address]>; Walls, Frederika (Latitude Financial)
<[email address]>
Subject: Latitude/DIA media management
Hi Freddie
under
As just mentioned, Julia has received a couple of media queries. Can you please call her to
discuss asap.
Julia Wootton
General Manager Service and Access
[email address]
Thanks, Brendon
Released
Confidentiality Disclosure Statement: This email and any attachments may contain legally
privileged, confidential information or copyright material of the sender or third party that is
intended for the use of the intended recipient only. Any confidentiality or privilege is not waived
or lost because this document has been sent by mistake. If you are not the intended recipient,
you must not read, copy, distribute, disclose or use the contents of this email or any attachments
without the consent of the sender or the relevant third party. If you have received this mail in
error, please delete it from your system immediately and notify us and confirm the deletion by
responding to the email address you received this from. Except as required by law, the sender
does not represent or warrant that the integrity of this email has been maintained or that it is
1982
free from errors, viruses, interceptions or interference. Any personal information in this
document must be handled in accordance with the privacy laws. Please see our Privacy Policy for
information about our privacy practices in Australia by visiting
https://www.latitudefinancial.com.au/privacy/ and in New Zealand by visiting
Act
https://www.gemfinance.co.nz/privacy/.
Information
Official
the
under
Released
From:
Maria Robertson
To:
Cristian Cornejo; Julia Wootton
Cc:
John Crawford-Smith; Media Internal Affairs; Sean O"Neill
Subject:
Re: TV3 AM show media request
Date:
Tuesday, 21 March 2023 5:04:11 pm
Attachments:
image001.png
image002.png
image003.png
1982
Thanks. Good to go!
M
Act
Maria Robertson| Deputy Chief Executive
Kawai Ki Te Iwi | Service Delivery and Operations
Mobile:
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Logo-test
From: Cristian Cornejo <[email address]>
Information
Sent: Tuesday, March 21, 2023 4:44:26 PM
To: Julia Wootton <[email address]>; Maria Robertson
<[email address]>
Cc: John Crawford-Smith <[email address]>; Media Internal Affairs
<[email address]>; Sean O'Neill <Sean.O'[email address]>
Subject: RE: TV3 AM show media request
Official
Kia ora Julia and Maria,
Please see below a new draft of our response to Newshub’s first media enquiry about the
the
Latitude Financial Services data breach, for your comments and approval.
-STARTS-
Kia ora
under
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia
Wootton, General Manager Services and Access at Te Tari Taiwhenua Department of
Internal Affairs.
1. Who should we be giving our passports to?
The primary purpose of the New Zealand Passport is to facilitate travel .
We understand that people do use it as a form of identification, but urge passport
holders to exercise caution when providing their passport for this purpose.
For example, it is always good to enquire about how any copies of any of their identity
documents are stored, shared and used when supplying this information to third parties.
Released
Our advice is for people to keep their passport secure while they are using it, store it
safely away from view when they are not, and never hand it over as a guarantee.
Additional tips for keeping your passport safe are available from
passports.govt.nz/travel-information/ and safetravel.govt.nz/passports-and-visas.
2. What is your advice to companies who request our passport information?
The collection, storage and use of passport information should comply with the
provisions of the Privacy Act and companies should take particular care not to over
1982
collect personal information.
The Privacy Act 2020 governs how organisations and businesses can collect, store, use
and share personal information.
The Privacy Act has 13 privacy principles that govern how businesses and organisations
Act
should collect, handle and use personal information.
More information on these principles is available from privacy.org.nz/privacy-act-
2020/privacy-principles/.
If you need more information or advice for companies handling personal information,
please contact the Privacy Commissioner.
We also suggest that businesses investigate other ways of confirming identity such as a
RealMe verified identity.
RealMe makes it easier for people to access and use online services offered by both
government and the private sector. The service has been created to build trust and
confidence by adhering to New Zealand Government security, identity and privacy
Information
legislation.
Please visit realme.govt.nz/ for more information.
3. Are employees legally obligated to give up this information?
Please refer to our response to question number two. People are not legally obligated to
provide passport information, and the collection, storage and use of passport
information should comply with the provisions of the Privacy Act.
Official
4. If passport information has been stolen through hacking, should you get a
new one?
the
In relation to the Latitude Financial Services data breach, the Department has assessed
the risk and determined that people do not need to apply for a new passport.
A passport cannot be renewed with just the information from the passport book alone,
and DIA has robust processes in place to determine that only those who should be
entitled to a new passport are able to get one.
For more information about what to do if your passport was affected by the Latitude
under
Financial Services data breach, please visit passports.govt.nz/latitude-financial-services-
data-breach/
5. Why are companies/organisations allowed to request passport information?
Please see response to question number two. The collection, storage and use of passport
information should comply with the provisions of the Privacy Act.
6. Why or why isn't that ethical?
We do not believe it’s the Department’s place to answer this question.
Released
7. Additional comments
No additional comments.
Ngā mihi,
-ENDS-
Cheers,
Cristián Cornejo (he/him)
1982
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
Act
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
From: John Crawford-Smith <[email address]>
Information
Sent: Tuesday, 21 March 2023 3:36 pm
To: Cristian Cornejo <[email address]>
Subject: RE: TV3 AM show media request
Kia ora Cristian,
Looks fine to me
Official
Regards
John Crawford-Smith | Principal Advisor
Te Pāhekoheko| Operations
the
Kāwai ki te Iwi| Service Delivery and Operations
Te Tari Taiwhenua | Department of Internal Affairs
M:
www.dia.govt.nz
Logo-test
under
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 3:34 pm
To: John Crawford-Smith <[email address]>
Subject: RE: TV3 AM show media request
Hi John,
Released
I’ve drafted the response below based on the information you put together for us.
In this case we think less is probably more, so I’ve worked to provide answers that make sense
without going into too much detail that might confuse audiences or prompt additional questions
from the journalist.
Please let me know if you are happy with it and I’ll send it to Julia and Maria for approval.
-STARTS-
Kia ora
1982
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia Wootton,
General Manager Services and Access at Te Tari Taiwhenua Department of Internal Affairs.
Act
1.
Who should we be giving our passports to?
Our advice is for people to keep their passport secure while they are using it, store it safely away
from view when they are not, and never hand it over as a guarantee.
Additional tips for keeping your passport safe are available from passports.govt.nz/travel-
information/ and safetravel.govt.nz/passports-and-visas.
2.
What is your advice to companies who request our passport information?
The Privacy Act 2020 governs how organisations and businesses can collect, store, use and share
personal information.
The Privacy Act has 13 privacy principles that govern how businesses and organisations should
collect, handle and use personal information.
Information
More information on these principles is available from privacy.org.nz/privacy-act-2020/privacy-
principles/.
If you need more information or advice for companies handling personal information, please
contact the Privacy Commissioner.
We also suggest that businesses investigate other ways of confirming identity such as a RealMe
verified identity.
Official
RealMe makes it easier for people to access and use online services offered by both government
and the private sector. The service has been created to build trust and confidence by adhering to
New Zealand Government security, identity and privacy legislation.
the
Please visit realme.govt.nz/ for more information.
3.
Are employees legally obligated to give up this information?
Please see response to question number two.
4.
If passport information has been stolen through hacking, should you get a new one?
No, people don’t need to get a new passport.
under
If a person’s passport has been renewed since they provided it to the company or institution that
has been compromised in the cyberattack, there is no ned no need to do anything.
If they have not renewed their passport, there is also no need to replace the passport if it is still
valid.
If they choose to replace their passport, the previous one will be cancelled once the Department
receives the application.
Please note that a cancelled passport cannot be used for travel or identification purposes. The
person will need to wait until a replacement passport has been issued.
For more information about what to do if your passport was affected by the Latitude Financial
Released
Services data breach, please visit passports.govt.nz/latitude-financial-services-data-breach/
5.
Why are companies/organisations allowed to request passport information?
Please see response to question number two.
6.
Why or why isn't that ethical?
We do not believe it’s the Department’s place to answer this question.
7.
Additional comments
1982
No additional comments.
Ngā mihi,
Act
-ENDS-
Cheers,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
Official
From: John Crawford-Smith <[email address]>
Sent: Tuesday, 21 March 2023 2:23 pm
To: Cristian Cornejo <[email address]>
Subject:
the
RE: TV3 AM show media request
How is this?
Regards
John
under
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 2:14 pm
To: Maria Robertson <[email address]>; Nicki Le Grice
<[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject: RE: TV3 AM show media request
Released
Thank you!
I will work with journalist and Nicki to find a time for you to do this.
Cheers,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
1982
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Act
From: Maria Robertson <[email address]>
Sent: Tuesday, 21 March 2023 2:06 pm
To: Cristian Cornejo <[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
Information
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject: RE: TV3 AM show media request
Hi
Yes, sure thing.
Official
M
Maria Robertson
the
| Deputy Chief Executive
Kawai Ki Te Iwi | Service Delivery and Operations
Mobile:
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Logo-test
under
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 1:54 PM
To: Maria Robertson <[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject: FW: TV3 AM show media request
Released
Importance: High
Kia ora Maria,
Please see below an enquiry we’ve got in the context of the Latitude Financial Services data
breach.
John is working on a response, but in the meantime we’re reaching to you because the journalist
has also asked if someone would be available for an interview on passport safety for the AM
Show tomorrow.
1982
I believe the team has already been in touch with you about this, and I’m looking to confirm with
you if you are willing and available to do this interview tomorrow morning.
If you are keen to do the interview, could you please let me know about your availability to drop
by their studio tomorrow morning and I’ll work with the journalist to coordinate.
Act
If you’d rather have someone else do the interview, or decline the interview and just send the
written response John is working on, let me know and we can work on that too.
Thanks!
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
Information
dia.govt.nz | Facebook | LinkedIn
Official
From: Rachel Prosser <[email address]>
Sent: Tuesday, 21 March 2023 1:02 pm
the
To: Cristian Cornejo <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: Re: TV3 AM show media request
Hi all, am on leave but want to note that care is needed with a really
under
tricky set of questions, which actually go beyond passports to the
department’s role in maintaining the identity management standards
(saying what combination of documents should be required to verify
identity identity). our role in AML CFT regulator which requires
vérifications, the future of
Digital identity and our role promoting the IVS / Real Me Verified and
the Confirmation service - organisations who use RealMe verified don’t
need the passport.
Q
Questions 3 and 5 look to privacy principles of necessity.
Released
It also looks to the complex issue of data retention and whether passport
data needs to be retained.
It’s not that we cover all of those ; in the timeframe aligning the
department would ne tricky: it’s more being careful that whatever we do
advise isn’t going across other parts of the department advise.
This is a good opportunity to promote Real Me verifies though.
It almost feels like Paul not Maria - I’d check that with her asap.
1982
Act
Get Outlook for iOS
From: Cristian Cornejo <[email address]>
Sent: Tuesday, March 21, 2023 12:35 PM
To: John Crawford-Smith <[email address]>
Cc: Media Internal Affairs <[email address]>; Rachel Prosser
<[email address]>
Subject: FW: TV3 AM show media request
Information
Kia ora John,
I’m reaching out to you in Rachel’s absence. She usually coordinates the responses to media
enquiries and we work with her to get the responses out to journalists.
Please see below an enquiry we’ve got in the context of the Latitude Financial Services data
breach. They are asking for advice on several aspects of passport information sharing.
I know there is some general advice about this on the passports website and that a page has
Official
been specifically set up for the Latitude data breach, but Is there any mor specific lines or advice
that we could use to respond to this enquiry?
Please note the journalist has also asked if someone would be available for an interview on
the
passport safety for the AM Show tomorrow. We can raise that request with Maria once we’ve
put together our response to the enquiry.
Because they want this to be ready for the AM Show tomorrow, we should work towards
providing the response
before COB today.
Please let me know if you are able to help or point me towards someone who can.
under
Ngā mihi,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
Released
dia.govt.nz | Facebook | LinkedIn
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
From:
Cristian Cornejo
To:
Media Internal Affairs
Subject:
FW: AM CONFIRMATION - MARIA ROBERTSON - MARCH 22
Date:
Tuesday, 21 March 2023 5:05:10 pm
Attachments:
image001.png
image002.png
1982
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Act
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Maria Robertson <[email address]>
Sent: Tuesday, 21 March 2023 5:05 pm
To: Cristian Cornejo <[email address]>; Nicki Le Grice <[email address]>
Subject: Re: AM CONFIRMATION - MARIA ROBERTSON - MARCH 22
Thanks! I’ll be there.
Official
M
Maria Robertson| Deputy Chief Executive
Kawai Ki Te Iwi | Service Delivery and Operations
the
Mobile:
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Logo-test
under
From: Cristian Cornejo <[email address]>
Sent: Tuesday, March 21, 2023 4:21:52 PM
To: Maria Robertson <[email address]>; Nicki Le Grice
<[email address]>
Subject: FW: AM CONFIRMATION - MARIA ROBERTSON - MARCH 22
Kia ora Maria and Nicki,
Released
Please see below the details regarding tomorrow’s AM Show interview.
1982
Act
Information
Official
the
under
Released
Thank you for your time, we’re looking forward to having you on AM!
Please see confirmed details of your interview below, do let us know if any details need to be updated.
Please note:
1982
If you are feeling unwell or displaying flu-like symptoms on the
day of your interview, please let us know as soon as possible.
Act
Please call/txt
when you arrive
at the studio, or if you need to contact us urgently on the morning of your interview.
AM Interview Confirmation
Segment Details
Information
Date
Wednesday, 22 March 2023
Studio
0650 AM
Arrival
Time
On Air
0720 AM
Time
Topic
Latitude hack
Official
Talent Details
Name
Maria Robertson
Designation Department of Internal Affairs Deputy Chief Executive
the
Contact
cell number | [email address]
Details
Social
Platform | @Handle
Media
Please provide
one only
(FB, Tw, IG,
under
Tik Tok)
Important Information
Location
Newshub Wellington Newsroom, 15 Walter Street, Te Aro, Wellington
Transport
Visitor parking is available on site.
Please do not use other reserved car parks. Additional on-street parking is available if visitor parking is full.
Taxi transfers can be arranged on request.
Appearance There is no formal dress-code for the show, however as a national news show, we do ask you to
dress tidily. Please do not wear stripes or busy patterns.
Released You will be fitted with a lapel-microphone, so please do not wear bracelets or heavy jewellery
that may make noise or bump against the microphone when you move.
Hair &
Please arrive camera ready. Please no wet-hair.
Makeup
Language
Please remember, as we are on-air early in the morning, children may be watching, so take care
with your language.
Copies of
Unfortunately due to the high volume of content we produce, we can’t guarantee your interview
recordings will be posted on our digital assets. We are also unable to provide a clipping of your interview.
If you’d like to review your appearance, we suggest recording it on your own device.
1982
Please let us know if you have any questions!
Act
wbd.com
Information
Official
the
under
Released
From:
John Crawford-Smith
To:
Cristian Cornejo
Subject:
RE: Latitude breach media responses
Date:
Tuesday, 21 March 2023 5:50:22 pm
Attachments:
image001.png
Cristian,
Thanks although not sure how much I contributed – I will get better.
1982
Have a good evening.
Regards
Act
John
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 5:45 pm
To: John Crawford-Smith <[email address]>
Subject: Latitude breach media responses
Kia ora John,
Information
Thanks again for your help today.
I’ve attached the final responses approved by Maria FYI.
Cheers,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Official
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
the
Mobile:
dia.govt.nz | Facebook | LinkedIn
under
Released
From:
Cristian Cornejo
To:
Julia Wootton
Cc:
Maria Robertson
Subject:
Fwd: TVNZ request
Date:
Wednesday, 22 March 2023 4:51:47 pm
Attachments:
Outlook-5folv3yg.png
Outlook-0ahuiw2r.png
Kia ora Julia.
1982
Please see below a request that just came in from TVNZ asking for an update on the
number of passports affected by the Latitude Financial breach.
Act
Their Australian correspondent is doing a story on the breach for tonight and would like to
have the latest info on affected passports.
Is there any update numbers we can provide or is the answers still the same as yesterday
evening?
Ngā mihi,
Cristián
From: Media Internal Affairs <[email address]>
Information
Sent: Wednesday, March 22, 2023 4:39 PM
To: Cristian Cornejo <[email address]>
Subject: FW: TVNZ request
Hi Cristian,
Do we have any update on the figure of passports from yesterday that we could provide? I will
Official
go back to him re: licences not being our responsibility and maybe Latitude being the best source
of figures given it is their breach. I’ll also try and get a deadline.
the
Cheers, Mary
From:
@tvnz.co.nz>
Sent: Wednesday, 22 March 2023 4:32 pm
To: Media Internal Affairs <[email address]>
Subject: TVNZ request
under
Hi there,
Could I have some confirmation over the numbers of kiwis affected by the Latitude
Financial hack. Numbers of passports and licenses etc
Cheers!
Released
1982
Act
Follow us: Facebook | Twitter | YouTube
Information
Official
the
under
Released
From:
John Crawford-Smith
To:
Maria Robertson; Cristian Cornejo; Julia Wootton
Cc:
Media Internal Affairs; Sean O"Neill
Subject:
RE: Newshub interview and article
Date:
Thursday, 23 March 2023 8:37:51 am
Attachments:
image002.png
image003.png
Really well done on this and great interview Maria.
1982
Regards
Act
John Crawford-Smith | Principal Advisor
Te Pāhekoheko| Operations
Kāwai ki te Iwi| Service Delivery and Operations
Te Tari Taiwhenua | Department of Internal Affairs
M:
www.dia.govt.nz
Logo-test
From: Maria Robertson <[email address]> Information
Sent: Wednesday, 22 March 2023 9:31 am
To: Cristian Cornejo <[email address]>; Julia Wootton
<[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>
Subject: Re: Newshub interview and article
Official
Thanks Cristian - we did well to pull this together promptly. Good
messages out the door. Thanks for that.
M
the
Maria Robertson| Deputy Chief Executive
Kawai Ki Te Iwi | Service Delivery and Operations
Mobile:
under
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Logo-test
From: Cristian Cornejo <[email address]>
Sent: Wednesday, March 22, 2023 9:23:00 AM
To: Maria Robertson <[email address]>; Julia Wootton
Released
<[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>
Subject: Newshub interview and article
Mōrena koutou,
Please see below FYI the links to
article and Maria’s interview from this
morning about the Latitude Financial breach.
1982
Thanks again to everyone for your help getting this out the door yesterday evening.
article: Department of Internal Affairs says more than 1300 Kiwis' passport details
stolen in massive hack on Latitude Financial
Act
Maria’s interview: Department of Internal Affairs' advice to New Zealanders as thousands of
passport details, driver's licenses stolen in Latitude security breach
Ngā mihi,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
Information
dia.govt.nz | Facebook | LinkedIn
Official
the
under
Released
From:
Cristian Cornejo
To:
Jeremy Williams
Subject:
RE: Newshub - Update on Latitude hack
Date:
Tuesday, 28 March 2023 11:44:10 am
Attachments:
image001.png
image002.png
image003.png
Thank you!
1982
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Act
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Jeremy Williams <[email address]>
Sent: Tuesday, 28 March 2023 11:15 am
To: Cristian Cornejo <[email address]>; Julia Wootton
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Official
Subject: RE: Newshub - Update on Latitude hack
The moment Latitude give us those numbers we will pass them on.
the
Jeremy
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 28 March 2023 10:58 AM
To: Jeremy Williams <[email address]>; Julia Wootton
under
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
Kia ora team,
We didn’t hear back from you about updated numbers for affected passports, so we went back
to the journalists with the agreed line about the data still being analysed.
Released
However, we’re still keen on providing an update when we know what the latest numbers are, so
please let us know when you hear back from Latitude about this.
Thank you!
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
1982
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Act
From: Jeremy Williams <[email address]>
Sent: Monday, 27 March 2023 2:01 pm
To: Cristian Cornejo <[email address]>; Julia Wootton
<[email address]>
Information
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
Hi Cristian,
I’ve gone back to them to indicate we would like these numbers asap but obviously this remains
Official
out of our control. I will let you know if we get any further updates asap.
In the instance I cant get anything additional, your final paragraph is spot on – i.e. we’re still
the
waiting on Latitude.
I’ve attached the latest update we’ve got.
Jeremy
under
From: Cristian Cornejo <[email address]>
Sent: Monday, 27 March 2023 1:57 PM
To: Julia Wootton <[email address]>; Jeremy Williams
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
Thanks for the quick reply, Julia.
Released
Do you think we could push for a number before the end of the day? It would reflect better on
the Department if we were known to have the latest information, reinforcing the idea that we
are on top of this.
If a getting a number before the end of the day is not possible, we can say we’re still working
closely with Latitude, but can’t provide an update number because the data is still being
analysed.
Ngā mihi,
1982
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
Act
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Julia Wootton <[email address]>
Sent: Monday, 27 March 2023 1:26 pm
To: Cristian Cornejo <[email address]>; Jeremy Williams
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
Official
I’ve been in touch with Latitude this morning asking for an update on numbers. They don’t have
anything further at this stage as they are still analysing the dataset.
the
From: Cristian Cornejo <[email address]>
Sent: Monday, 27 March 2023 1:25 pm
To: Julia Wootton <[email address]>; Jeremy Williams
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
under
[email address]>; Media Internal Affairs <[email address]>
Subject: FW: Newshub - Update on Latitude hack
Importance: High
Kia ora Jeremy,
I’m reaching out to you in Julia’s absence.
Following and update from Latitude Finance on how many passports, driver's licenses etc were
Released
compromised in their security breach, we’ve had a couple of media outlets reaching out to ask if
we can provide an updated number on the amount of NZ passports affected.
1982
Act
Information
Official
the
under
Released
newshub.co.nz
wbd.com
1982
Act
From:
@tvnz.co.nz>
Sent: Monday, 27 March 2023 1:08 pm
To: Media Internal Affairs <[email address]>
Subject: TVNZ query
Hi there,
I see Latitude has just put out an update confirming their hack is worse than initially
thought - and say that 53,000 passports were taken.
Information
Can someone from DIA confirm the number of NZ ones impacted if it's changed from last
week?
Cheers,
Official
the
under
Released
From:
Cristian Cornejo
To:
Jeremy Williams
Subject:
RE: TVNZ query
Date:
Wednesday, 29 March 2023 3:39:02 pm
Attachments:
image001.png
image002.png
image003.png
image004.png
1982
Awesome, thanks!
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Act
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Jeremy Williams <[email address]>
Sent: Wednesday, 29 March 2023 3:37 pm
To: Cristian Cornejo <[email address]>; Julia Wootton
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
Official
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: TVNZ query
I will follow up with latitude directly now
the
Jeremy
From: Cristian Cornejo <[email address]>
Sent: Wednesday, 29 March 2023 3:36 PM
under
To: Jeremy Williams <[email address]>; Julia Wootton
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: FW: TVNZ query
Importance: High
Kia ora tīma,
Released
As you might have seen in the news, the Latitude breach story is becoming bigger by the minute.
We are getting media enquiries about the number of passports affected on a daily basis.
We have been using the agreed line – that we are still working closely with Latitude, but can’t
provide an updated number because the data is still being analysed – but it would really help if
we can provide an update on the number as soon as possible and work with Latitude to get
regular updates in the coming weeks.
I know we’ve come to you with this same request earlier this week and that a lot of it is out of
our control, but considering this is one of the biggest news stories right now, we think it’s worth
insisting with Latitude so we can answer the questions from the media to demonstrate we are
1982
on top of this .
Thank you and please let us know if we can help in any way.
Act
Ngā mihi,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Media Internal Affairs <[email address]>
Official
Sent: Wednesday, 29 March 2023 3:00 pm
To: Cristian Cornejo <[email address]>
Subject: FW: TVNZ query
the
Kia ora Cristian,
Is there any update? This is an ongoing story and we will be getting requests for updated figures
while it remains a lead news item. It would be great if Latitude had provided something we can
pass on to media today.
under
Ngā mihi nui,
Mary
Mary Burgess (she/her)
Senior Media Advisor
Te Tari Taiwhenua | Department of Internal Affairs
Released
Media phone |
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
Follow us: Facebook | Twitter | YouTube
1982
Act
Information
Official
the
under
Released
From:
Cutt, Brendon (Latitude Financial)
To:
Jeremy Williams; Julia Wootton
Cc:
Cristian Cornejo
Subject:
Latitude - ASX announcement
Date:
Tuesday, 11 April 2023 11:28:42 am
Attachments:
LFS ASX cyber update 110423.pdf
You don't often get email from [email address]. Learn why this is important
1982
Hi all
FYI, please find attached Latitude’s latest ASX Announcement. Please note that Latitude will not
Act
be paying any ransom to the threat actor.
Regards, Brendon
Brendon Cutt
General Manager, Compliance and Conduct Risk
Latitude Financial Services
Information
M
Confidentiality Disclosure Statement: This email and any attachments may contain legally
privileged, confidential information or copyright material of the sender or third party that
is intended for the use of the intended recipient only. Any confidentiality or privilege is not
waived or lost because this document has been sent by mistake. If you are not the intended
Official
recipient, you must not read, copy, distribute, disclose or use the contents of this email or
any attachments without the consent of the sender or the relevant third party. If you have
received this mail in error, please delete it from your system immediately and notify us and
confirm the deletion by responding to the email address you received this from. Except as
the
required by law, the sender does not represent or warrant that the integrity of this email has
been maintained or that it is free from errors, viruses, interceptions or interference. Any
personal information in this document must be handled in accordance with the privacy
laws. Please see our Privacy Policy for information about our privacy practices in Australia
by visiting https://www.latitudefinancial.com.au/privacy/ and in New Zealand by visiting
https://www.gemfinance.co.nz/privacy/.
under
Released
Latitude Group Holdings Ltd
ACN 604 747 391
Level 18, 130 Lonsdale St,
Melbourne VIC 3000
latitudefinancial.com
11 April 2023
1982
ASX ANNOUNCEMENT
Cybercrime update
Act
Latitude Financial (ASX: LFS) has received a ransom demand from the criminals behind the cyber-attack on our
company.
Latitude wil not pay a ransom. This decision is consistent with the position of the Australian Government.
We wil not reward criminal behaviour, nor do we believe that paying a ransom wil result in the return or destruction
of the information that was stolen.
In line with advice from cybercrime experts, Latitude strongly believes that paying a ransom wil be detrimental to
our customers and cause harm to the broader community by encouraging further criminal attacks.
The stolen data the attackers have detailed as part of their ransom threat is consistent with the number of affected
Information
customers disclosed by Latitude in our announcement dated 27 March 2023.
This matter is under investigation by the Australian Federal Police and we continue to work with the Australian
Cyber Security Centre and cyber-security experts on our response.
We are in the process of contacting all customers, past customers and applicants whose information was
compromised, outlining details of the information stolen, the support we are providing and our plans for remediation.
We wil complete this process as quickly as we can.
Official
We encourage al our customers to remain vigilant and alert to potential scam attempts.
To the best of our knowledge, there has been no suspicious activity inside Latitude’s systems since Thursday 16
March 2023.
the
Regular business operations are being restored, with Latitude’s primary Customer Contact Centre back online and
operating at full capacity. We wil respond to al customer enquiries as a priority. Customers can also access
services via the Latitude website and mobile app. New customer originations have also recommenced.
Latitude maintains insurance policies to cover risks, including cyber-security risks, and we have notified our insurers
in respect of this incident.
under
Latitude Financial CEO Bob Belan said: “Latitude wil not pay a ransom to criminals. Based on the evidence and advice, there is simply no guarantee that
doing so would result in any customer data being destroyed and it would only encourage further extortion attempts
on Australian and New Zealand businesses in the future.
“Our priority remains on contacting every customer whose personal information was compromised and to support
them through this process.
“In paral el, our teams have been focused on safely restoring our IT systems, bringing staffing levels back to ful
capacity, enhancing security protections and returning to normal operations.
Released
“I apologise personally and sincerely for the distress that this cyber-attack has caused and I hope that in time we are
able to earn back the confidence of our customers.”
Supporting our customers
Latitude is delivering a comprehensive customer care and remediation program to support affected individuals. Some
of the steps we are taking include:
Latitude’s dedicated contact centres are available for affected customers in Australia and New Zealand between 9am
– 6pm AEST/NZST, Monday – Friday.
Additional support is available via our dedicated contact centres for customers who are in a uniquely vulnerable 1982
position as a result of this cyber-attack.
We have engaged IDCARE, a not-for profit organisation specialising in providing free, confidential cyber incident
information and assistance. If you wish to speak with one of their expert Case Managers, please visit idcare.org or
call (New Zealand) 0800 121 068, 11am – 6pm NZST, Monday – Friday (excluding public holidays) or (Australia)
Act
1800 595 160 (use the referral code LAT23).
Mental Health and Wel being Support is available free of charge through our Support Line 0800 808 374 (New
Zealand) or 1800 808 374 (Australia).
The Help page on our website is also being kept up to date with the latest information.
Authorised for release to the ASX by the Board of Directors.
For further information:
Media
Investor Relations
Mark Gardy
Matthew Wilson Information
+61 412 376 817
+61 401 454 621
Official
the
under
Released
From:
Maria Robertson
To:
Cristian Cornejo; Julia Wootton; Media Internal Affairs
Cc:
John Crawford-Smith
Subject:
Re: Newshub media enquiry
Date:
Tuesday, 21 March 2023 5:07:41 pm
Attachments:
image001.png
Thanks. I’m comfortable, just curious: if we know the number is around 1350 why would
we not say that?
1982
M
Act
Maria Robertson| Deputy Chief Executive
Kawai Ki Te Iwi | Service Delivery and Operations
Mobile:
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Logo-test
From: Cristian Cornejo <[email address]>
Sent: Tuesday, March 21, 2023 5:05:38 PM
Information
To: Maria Robertson <[email address]>; Julia Wootton
<[email address]>; Media Internal Affairs <[email address]>
Cc: John Crawford-Smith <[email address]>
Subject: RE: Newshub media enquiry
Kia ora Maria and Julia,
Official
Latitude has nor confirmed they are happy with the wording on this response, so I’m seeking
your approval to send it out to
urgently, as the deadline for this passed 30 mins ago.
the
-STARTS-
Kia ora
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia Wootton, General
Manager Services and Access at Te Tari Taiwhenua Department of Internal Affairs.
under
1.
Why is it considered safe to continue using a passport if the details of this have been stolen?
We have assessed the risk and determined that people do not need to apply for a new passport.
Our Department has robust controls that protect passports from identity takeover, including sophisticated
facial recognition technology. This means people cannot get a passport in someone else’s identity, even if they
have their passport details.
It is also not possible to use passport details to travel in someone else’s identity. For someone to travel
using another person’s passport information, they would need the actual passport, not just the passport details.
People wanting to find more information about what to do if their passport was affected by the Latitude
Financial Services data breach can visit passports.govt.nz/latitude-financial-services-data-breach/
Released
2.
Is it still possible that impacted customers will need to replace their passports eventually?
If the passport has been renewed since they provided it to Latitude, there is no need no need to do
anything.
If they have not renewed their passport, there is also no need to replace their passport if it is still valid.
If someone chooses to replace their passport, the previous one will be cancelled once the Department
receives the application.
Note that a cancelled passport cannot be used for travel or identification purposes. The person will need to
wait until a replacement passport has been issued.
3.
How many NZ based customers of Latitude and associated businesses have been affected by the
1982
cyber-attack according to what Latitude has told the DIA ?
We are working closely with Latitude to identify impacted passport holders.
Ngā mihi,
Act
-ENDS-
Thanks!
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Information
Mobile:
dia.govt.nz | Facebook | LinkedIn
Official
From: Walls, Frederika (Latitude Financial) <[email address]>
the
Sent: Tuesday, 21 March 2023 4:57 pm
To: Cristian Cornejo <[email address]>
Cc: Julia Wootton <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Kingston, Lizzy (Latitude Financial) <[email address]>
Subject: RE: Newshub media enquiry
under
Kia ora - thanks for sending through, the answers look good. As confirmed in the media
statement the number of passports is a small percentage - media statement.
Thank you
Freddie
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 4:30 pm
To: Walls, Frederika (Latitude Financial) <[email address]>
Released
Cc: Julia Wootton <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>
1982
Act
Information
Official
the
under
Released
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
1982
Act
Confidentiality Disclosure Statement: This email and any attachments may contain legally
privileged, confidential information or copyright material of the sender or third party that is
intended for the use of the intended recipient only. Any confidentiality or privilege is not waived
or lost because this document has been sent by mistake. If you are not the intended recipient,
you must not read, copy, distribute, disclose or use the contents of this email or any attachments
without the consent of the sender or the relevant third party. If you have received this mail in
error, please delete it from your system immediately and notify us and confirm the deletion by
responding to the email address you received this from. Except as required by law, the sender
does not represent or warrant that the integrity of this email has been maintained or that it is
free from errors, viruses, interceptions or interference. Any personal information in this
Information
document must be handled in accordance with the privacy laws. Please see our Privacy Policy for
information about our privacy practices in Australia by visiting
https://www.latitudefinancial.com.au/privacy/ and in New Zealand by visiting
https://www.gemfinance.co.nz/privacy/.
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
(
link to page below)
Draft web page wording
Latitude Financial Services data breach
1982
Latitude Financial Services (also trading as GEM Finance in New Zealand), an Australian finance
company, has recently advised customers of a cyberattack which may have resulted in
unauthorised access to current and former customers’ information held by the company. Act
How do I know if I have been impacted by the data breach?
Latitude Financial Services is notifying all affected customers about the data breach. This
includes New Zealand passport holders who provided their New Zealand passport as part
of setting up their accounts with Latitude Financial Services.
If you are not contacted by Latitude Financial Services, you have not been impacted by the
breach.
What passport details could have been exposed?
Some people had their New Zealand passport details compromised.
Information
A copy of your passport bio-data page may have been exposed.
Latitude Financial Services will advise you if your New Zealand passport details were
compromised.
Do I need to replace my passport if I have been impacted?
Official
No, you don't have to.
If you have renewed your passport since signing up with Latitude Financial Services, you
do not need to do anything. the
If you have not renewed your passport, there is no need to replace your passport if it is still
valid.
Can I use my passport to travel?
under
Yes, your passport is safe to use for international travel. Your passport remains valid for
travel unless it has expired or it has been renewed.
Could someone else get a passport in my identity?
No. We use robust controls that protect your passport from identity takeover, including
sophisticated facial recognition technology.
Could someone use my passport details to travel in my identity?
No. They would need your actual passport, not just your passport details.
Released
If your passport has been lost or stolen, you must let the Department of Internal Affairs
(DIA) Passport Office know as soon as possible so we can cancel your passport and
protect you from any misuse.
Further information about lost and stolen passports is available here:
Lost, stolen or damaged passport
Is it still safe to use my passport as proof of identity?
1982
Impacted Latitude Financial Services customers may be concerned their passport details
could be misused to commit identity fraud.
Act
You have the option to ask DIA to apply a block in the Australia Document Verification
Service (DVS) system on your behalf. This block will mean that your passport number
cannot be used for digital verification in Australia, but you can still use your passport to
verify your identity in person as required, such as for the purposes of taking out a loan, or a
phone plan.
If you want DIA to apply a block in DVS, email us at: [email address].
Let us know your current passport number, name and contact phone number, including
area and country codes – we’ll call from New Zealand. Put ' Latitude Financial Services' in
the subject line.
Information
Is my passport still valid if I replace it?
If you choose to replace your passport, the previous one will be cancelled once we receive
your application.
Note that a cancelled passport cannot be used for travel or identification purposes.
You will need to wait until a replacement passport has been issued.
Official
Information about passport timeframes is available here:
Passport timeframes
the
What happens if I replace my New Zealand passport while I am overseas?
We understand that you may be worried that you could be stranded without any valid ID
overseas. If you have upcoming international travel planned, we recommend that you
travel on your current passport.
under
If you would like to replace your passport, contact DIA to discuss your upcoming travel
plans before cancelling your passport.
Confidentiality Disclosure Statement: This email and any attachments may contain legally
privileged, confidential information or copyright material of the sender or third party that
is intended for the use of the intended recipient only. Any confidentiality or privilege is not
waived or lost because this document has been sent by mistake. If you are not the intended
Released
recipient, you must not read, copy, distribute, disclose or use the contents of this email or
any attachments without the consent of the sender or the relevant third party. If you have
received this mail in error, please delete it from your system immediately and notify us and
confirm the deletion by responding to the email address you received this from. Except as
required by law, the sender does not represent or warrant that the integrity of this email has
been maintained or that it is free from errors, viruses, interceptions or interference. Any
personal information in this document must be handled in accordance with the privacy
laws. Please see our Privacy Policy for information about our privacy practices in Australia
by visiting https://www.latitudefinancial.com.au/privacy/ and in New Zealand by visiting
https://www.gemfinance.co.nz/privacy/.
1982
Confidentiality Disclosure Statement: This email and any attachments may contain legally
privileged, confidential information or copyright material of the sender or third party that
is intended for the use of the intended recipient only. Any confidentiality or privilege is not
Act
waived or lost because this document has been sent by mistake. If you are not the intended
recipient, you must not read, copy, distribute, disclose or use the contents of this email or
any attachments without the consent of the sender or the relevant third party. If you have
received this mail in error, please delete it from your system immediately and notify us and
confirm the deletion by responding to the email address you received this from. Except as
required by law, the sender does not represent or warrant that the integrity of this email has
been maintained or that it is free from errors, viruses, interceptions or interference. Any
personal information in this document must be handled in accordance with the privacy
laws. Please see our Privacy Policy for information about our privacy practices in Australia
by visiting https://www.latitudefinancial.com.au/privacy/ and in New Zealand by visiting
https://www.gemfinance.co.nz/privacy/.
Information
Confidentiality Disclosure Statement: This email and any attachments may contain legally
privileged, confidential information or copyright material of the sender or third party that
is intended for the use of the intended recipient only. Any confidentiality or privilege is not
waived or lost because this document has been sent by mistake. If you are not the intended
recipient, you must not read, copy, distribute, disclose or use the contents of this email or
any attachments without the consent of the sender or the relevant third party. If you have
received this mail in error, please delete it from your system immediately and notify us and
confirm the deletion by responding to the email address you received this from. Except as
Official
required by law, the sender does not represent or warrant that the integrity of this email has
been maintained or that it is free from errors, viruses, interceptions or interference. Any
personal information in this document must be handled in accordance with the privacy
the
laws. Please see our Privacy Policy for information about our privacy practices in Australia
by visiting https://www.latitudefinancial.com.au/privacy/ and in New Zealand by visiting
https://www.gemfinance.co.nz/privacy/.
Confidentiality Disclosure Statement: This email and any attachments may contain legally
privileged, confidential information or copyright material of the sender or third party that
is intended for the use of the intended recipient only. Any confidentiality or privilege is not
under
waived or lost because this document has been sent by mistake. If you are not the intended
recipient, you must not read, copy, distribute, disclose or use the contents of this email or
any attachments without the consent of the sender or the relevant third party. If you have
received this mail in error, please delete it from your system immediately and notify us and
confirm the deletion by responding to the email address you received this from. Except as
required by law, the sender does not represent or warrant that the integrity of this email has
been maintained or that it is free from errors, viruses, interceptions or interference. Any
personal information in this document must be handled in accordance with the privacy
laws. Please see our Privacy Policy for information about our privacy practices in Australia
by visiting https://www.latitudefinancial.com.au/privacy/ and in New Zealand by visiting
Released
https://www.gemfinance.co.nz/privacy/.
