From:
John Crawford-Smith
To:
Operations Management Team; Micheala Ngaia; Anne-Claire Wyseur
Subject:
Department of Internal Affairs" advice to New Zealanders as thousands of passport details, driver"s licenses
stolen in Latitude security breach
Date:
Thursday, 23 March 2023 8:20:40 am
Really good interview with Maria and article
https://www.newshub.co.nz/home/technology/2023/03/department-of-internal-affairs-advice-
to-new-zealanders-as-thousands-of-passport-details-driver-s-licenses-stolen-in-latitude-security-
breach.html
Regards
John
under the Official Information Act 1982
Released
From:
John Crawford-Smith
To:
Julia Wootton; Russell Burnard
Subject:
FW: TV3 AM show media request
Date:
Tuesday, 21 March 2023 1:02:54 pm
Attachments:
image001.png
FYI
1982
Regards
John
Act
From: Rachel Prosser <[email address]>
Sent: Tuesday, 21 March 2023 1:02 pm
To: Cristian Cornejo <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: Re: TV3 AM show media request
Hi all, am on leave but want to note that care is needed with a really
tricky set of questions, which actually go beyond passports to the
department’s role in maintaining the identity management standards
(saying what combination of documents should be required to verify
Information
identity identity). our role in AML CFT regulator which requires
vérifications, the future of
Digital identity and our role promoting the IVS / Real Me Verified and
the Confirmation service - organisations who use RealMe verified don’t
need the passport.
Q
Questions 3 and 5 look to privacy principles of necessity.
Official
It also looks to the complex issue of data retention and whether passport
data needs to be retained.
It’s not that we cover all of those ; in the timeframe aligning the
department would ne tricky: it’s more being careful that whatever we do
the
advise isn’t going across other parts of the department advise.
This is a good opportunity to promote Real Me verifies though.
It almost feels like Paul not Maria - I’d check that with her asap.
under
Get Outlook for iOS
From: Cristian Cornejo <[email address]>
Sent: Tuesday, March 21, 2023 12:35 PM
To: John Crawford-Smith <[email address]>
Released
Cc: Media Internal Affairs <[email address]>; Rachel Prosser
1982
Act
Information
Official
the
under
Released
would like to get an official statement and possibly someone on air tomorrow morning to talk
about passport safety.
If we could get answers for the following, that would be amazing.
1. Who should we be giving our passports to?
2. What is your advice to companies who request our passport information?
1982
3. Are employees legally obligated to give up this information?
4. If passport information has been stolen through hacking, should you get a new one?
5. Why are companies/organisations allowed to request passport information? 6. Why or why
isn't that ethical?
Act
7. Additional comments
Further context can be found in this article:
https://www.newshub.co.nz/home/technology/2023/03/latitude-group-parent-company-of-
genoapay-and-gem-hit-by-cyber-attack.html
--
Information
WBD.COM
Official
the
under
Released
From:
Cristian Cornejo
To:
John Crawford-Smith
Subject:
Latitude breach media responses
Date:
Tuesday, 21 March 2023 5:44:49 pm
Attachments:
FW Newshub.msg
RE AM CONFIRMATION - MARIA ROBERTSON - MARCH 22.msg
image001.png
Kia ora John,
1982
Thanks again for your help today.
I’ve attached the final responses approved by Maria FYI.
Act
Cheers,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
Official
the
under
Released
From:
Media Internal Affairs
To:
@discovery.com
Subject:
FW: Newshub
Date:
Tuesday, 21 March 2023 5:37:39 pm
Attachments:
image001.png
Kia ora
,
Thanks for your enquiry and apologies for the delay getting back to you. Please see our answer below, which
1982
can be attributed to Julia Wootton, General Manager Services and Access at Te Tari Taiwhenua Department of
Internal Affairs.
1.
Why is it considered safe to continue using a passport if the details of this have been stolen?
We have assessed the risk and determined that people do not need to apply for a new passport. Act
Our Department has robust controls that protect passports from identity takeover, including sophisticated
facial recognition technology. This means people cannot get a passport in someone else’s identity, even if they
have their passport details.
It is also not possible to use passport details to travel in someone else’s identity. For someone to travel
using another person’s passport information, they would need the actual passport, not just the passport details.
People wanting to find more information about what to do if their passport was affected by the Latitude
Financial Services data breach can visit passports.govt.nz/latitude-financial-services-data-breach/
2.
Is it still possible that impacted customers will need to replace their passports eventually?
If the passport has been renewed since they provided it to Latitude, there is no need no need to do
anything.
If they have not renewed their passport, there is also no need to replace their passport if it is still valid.
If someone chooses to replace their passport, the previous one will be cancelled once the Department
Information
receives the application.
Note that a cancelled passport cannot be used for travel or identification purposes. The person will need to
wait until a replacement passport has been issued.
3.
How many NZ based customers of Latitude and associated businesses have been affected by the
cyber-attack according to what Latitude has told the DIA ?
We are currently aware of 1342 and are working closely with Latitude to identify any other impacted
passport holders.
From:
Official
@discovery.com>
Sent: Tuesday, 21 March 2023 4:28 pm
To: Media Internal Affairs <[email address]>
Subject: Re: Newshub
the
Great, thanks Mary.
On Tue, 21 Mar 2023 at 4:24 PM, Media Internal Affairs <[email address]> wrote:
Hi
Just an update that we are just working on sign off to your response but won’t make 4.30pm.
Ngā mihi nui,under
Mary
Mary Burgess (she/her)
Senior Media Advisor
Te Tari Taiwhenua | Department of Internal Affairs
Media phone |
DIA Logo - Email Signature
Released
dia.govt.nz| Facebook | LinkedIn
From:
@discovery.com>
Sent: Tuesday, 21 March 2023 1:44 pm
To: Media Internal Affairs <[email address]>
Subject: Newshub
Hi guys,
I have a query in relation to the cyber attack on Latitude Financial.
Below is a statement given to a NZ customer of Latitude finance company Gem citing some
1982
information from DIA.
1. Why is it considered safe to continue using a passport if the details of this have been
stolen?
Act
2. Is it still possible that impacted customers will need to replace their passports eventually?
3. How many NZ based customers of Latitude and associated businesses have been affected
by the cyber attack according to what Latitude has told the DIA ?
Please come back to me by 430.
Cheers
On 16 March 2023, Latitude Financial Services
(Latitude)1
advised all customers and the market that it was responding to
a malicious cyber-attack that resulted in the theft of personal
information.
Information
Regrettably, we are writing to you today to confirm that some
of your personal information has been stolen.
We sincerely apologise that this happened. Protecting your
personal information is of the utmost importance to Latitude
and we are taking all necessary steps to secure our platforms.
Official
This letter explains what happened, how we have responded
and outlines further precautionary steps you can take to lower
the
the risk of your information being potentially misused.
What happened?
Latitude is experiencing a malicious cyber-attack that has
resulted in a data theft.
under
While Latitude took immediate action, we understand that the
attacker, via a vendor, was able to steal Latitude employee
login credentials before the incident was contained. The
attacker appears to have used the employee login credentials
to steal personal information.
We have alerted and are working with relevant authorities and
law enforcement agencies, including the Australian Cyber
Released Security Centre, as well as external cyber security experts.
Latitude also notified the Office of the Privacy Commissioner
(OPC) about this incident on 16 March 2023. You have the
right to make a complaint to the
OPC. They are contactable at
their website here privacy.org.nz.
What kind of information has been impacted?
1982
We have so far identified that the incident has resulted in the
following kinds of your personal information being
compromised. We collected this information from you at the
time you applied for credit or sought a quote from Latitude so
Act
we could verify your identity.
· The passport information you supplied which,
where applicable, included your photograph, full
name, date of birth, passport number and dates of
issue and expiry.
· The personal information you supplied during your
application or quote request which, where
applicable, included your full name, address, and
date of birth, and your phone number.
Information
· A photograph of your face provided as part of
Latitude’s identity verification process.
Steps we are taking to help you
Replacement of identity documents
Official
We are currently working with government agencies on the
process to replace your stolen identity document (where
necessary) at no cost to you. In respect of any necessary
replacement of New Zealand driver licences, we are not yet
the
ready for you to contact the Waka Kotahi NZ Transport
Agency. We are working as quickly as possible. We will write
to you to provide tailored information depending on the
information stolen and the requirements of the Waka Kotahi
NZ Transport Agency.
under
Important: We are also working with government to
determine which identity documents need to be replaced.
· You may not need to replace your driver licence if
only some details are impacted, rather than a full
copy or image of your driver licence.
· You may also not need to replace your identity
document if you have renewed or replaced it since
the time that you provided it to us.
Released
· For New Zealand passport holders involved in this
incident, the Department of Internal Affairs (DIA)
has confirmed that impacted passports are still safe
to use. Further information is available at
passports.govt.nz
--
1982
wbd.com
Act
--
wbd.com
Information
Official
the
under
Released
From:
Media Internal Affairs
To:
Media Internal Affairs;
Subject:
RE: AM CONFIRMATION - MARIA ROBERTSON - MARCH 22
Date:
Tuesday, 21 March 2023 5:06:27 pm
Attachments:
image001.png
Kia ora
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia
1982
Wootton, General Manager Services and Access at Te Tari Taiwhenua Department of
Internal Affairs.
1. Who should we be giving our passports to?
The primary purpose of the New Zealand Passport is to facilitate travel .
Act
We understand that people do use it as a form of identification, but urge passport
holders to exercise caution when providing their passport for this purpose.
For example, it is always good to enquire about how any copies of any of their identity
documents are stored, shared and used when supplying this information to third parties.
Our advice is for people to keep their passport secure while they are using it, store it
safely away from view when they are not, and never hand it over as a guarantee.
Additional tips for keeping your passport safe are available from
passports.govt.nz/travel-information/ and safetravel.govt.nz/passports-and-visas.
2. What is your advice to companies who request our passport information?
The collection, storage and use of passport information should comply with the
Information
provisions of the Privacy Act and companies should take particular care not to over
collect personal information.
The Privacy Act 2020 governs how organisations and businesses can collect, store, use
and share personal information.
The Privacy Act has 13 privacy principles that govern how businesses and organisations
should collect, handle and use personal information.
More information on these principles is available from privacy.org.nz/privacy-act-
Official
2020/privacy-principles/.
If you need more information or advice for companies handling personal information,
please contact the Privacy Commissioner.
We also suggest that businesses investigate other ways of confirming identity such as a
the
RealMe verified identity.
RealMe makes it easier for people to access and use online services offered by both
government and the private sector. The service has been created to build trust and
confidence by adhering to New Zealand Government security, identity and privacy
legislation.
under
Please visit realme.govt.nz/ for more information.
3. Are employees legally obligated to give up this information?
Please refer to our response to question number two. People are not legally obligated to
provide passport information, and the collection, storage and use of passport
information should comply with the provisions of the Privacy Act.
4. If passport information has been stolen through hacking, should you get a new
one?
In relation to the Latitude Financial Services data breach, the Department has assessed
the risk and determined that people do not need to apply for a new passport.
A passport cannot be renewed with just the information from the passport book alone,
Released
and DIA has robust processes in place to determine that only those who should be
1982
Act
Information
Official
the
under
Released
Studio
0650 AM
Arrival
Time
On Air
0720 AM
Time
Topic
Latitude hack
Talent Details
1982
Name
Maria Robertson
Designation Department of Internal Affairs Deputy Chief Executive
Contact
cell number | [email address]
Act
Details
Social
Platform | @Handle
Media
Please provide
one only
(FB, Tw, IG,
Tik Tok)
Important Information
Location
Newshub Wellington Newsroom, 15 Walter Street, Te Aro, Wellington
Transport
Visitor parking is available on site.
Please do not use other reserved car parks. Additional on-street parking is available if visitor parking is full.
Taxi transfers can be arranged on request.
Appearance There is no formal dress-code for the show, however as a national news show, we do ask you to
Information
dress tidily. Please do not wear stripes or busy patterns.
You will be fitted with a lapel-microphone, so please do not wear bracelets or heavy jewellery
that may make noise or bump against the microphone when you move.
Hair &
Please arrive camera ready. Please no wet-hair.
Makeup
Language
Please remember, as we are on-air early in the morning, children may be watching, so take care
with your language.
Official
Copies of
Unfortunately due to the high volume of content we produce, we can’t guarantee your interview
recordings will be posted on our digital assets. We are also unable to provide a clipping of your interview.
If you’d like to review your appearance, we suggest recording it on your own device.
Please let us know if you have any questions!
the
under
--
wbd.com
Released
From:
John Crawford-Smith
To:
Russell Burnard; Jeremy Williams; Julia Wootton; Alex Rickard; Olivia Hannah
Subject:
Office of Privacy Commissioner to investigate Latitude mega privacy breach
Date:
Wednesday, 10 May 2023 12:01:43 pm
https://www.stuff.co.nz/business/132000886/office-of-privacy-commissioner-to-
investigate-latitude-mega-privacy-breach
1982
Act
Information
Official
the
under
Released
From:
Cristian Cornejo
To:
Jeremy Williams; Julia Wootton
Cc:
Maria Robertson; John Crawford-Smith; Media Internal Affairs
Subject:
RE: Newshub - Update on Latitude hack
Date:
Monday, 27 March 2023 2:05:59 pm
Attachments:
image001.png
image002.png
image003.png
1982
Thanks Jeremy.
Fingers crossed we can get something form them in the next couple of hours.
Cheers,
Act
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Jeremy Williams <[email address]>
Sent: Monday, 27 March 2023 2:01 pm Official
To: Cristian Cornejo <[email address]>; Julia Wootton
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
the
Subject: RE: Newshub - Update on Latitude hack
Hi Cristian,
I’ve gone back to them to indicate we would like these numbers asap but obviously this remains
under
out of our control. I will let you know if we get any further updates asap.
In the instance I cant get anything additional, your final paragraph is spot on – i.e. we’re still
waiting on Latitude.
I’ve attached the latest update we’ve got.
Jeremy
Released
From: Cristian Cornejo <[email address]>
Sent: Monday, 27 March 2023 1:57 PM
To: Julia Wootton <[email address]>; Jeremy Williams
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
Thanks for the quick reply, Julia.
1982
Do you think we could push for a number before the end of the day? It would reflect better on
the Department if we were known to have the latest information, reinforcing the idea that we
are on top of this.
If a getting a number before the end of the day is not possible, we can say we’re still working
Act
closely with Latitude, but can’t provide an update number because the data is still being
analysed.
Ngā mihi,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Information
Mobile:
dia.govt.nz | Facebook | LinkedIn
Official
From: Julia Wootton <[email address]>
Sent:
the
Monday, 27 March 2023 1:26 pm
To: Cristian Cornejo <[email address]>; Jeremy Williams
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
under
I’ve been in touch with Latitude this morning asking for an update on numbers. They don’t have
anything further at this stage as they are still analysing the dataset.
From: Cristian Cornejo <[email address]>
Sent: Monday, 27 March 2023 1:25 pm
To: Julia Wootton <[email address]>; Jeremy Williams
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
Released
[email address]>; Media Internal Affairs <[email address]>
Subject: FW: Newshub - Update on Latitude hack
1982
Act
Information
Official
the
under
Released
Latitude Finance has provided an update on how many passports, driver's licenses etc were
stolen in their security breach.
I was wondering if the DIA knows how many New Zealand customers have been affected in
regard to these new figures.
Kind regards,
1982
Act
newshub.co.nz
wbd.com
From:
@tvnz.co.nz>
Information
Sent: Monday, 27 March 2023 1:08 pm
To: Media Internal Affairs <[email address]>
Subject: TVNZ query
Hi there,
Official
I see Latitude has just put out an update confirming their hack is worse than initially
thought - and say that 53,000 passports were taken.
the
Can someone from DIA confirm the number of NZ ones impacted if it's changed from last
week?
Cheers,
under
Released
1982
Act
Information
Official
the
under
Released
From:
Jeremy Williams
To:
Cristian Cornejo; Julia Wootton
Cc:
Maria Robertson; John Crawford-Smith; Media Internal Affairs
Subject:
RE: Newshub - Update on Latitude hack
Date:
Monday, 27 March 2023 2:01:27 pm
Attachments:
LFS ASX cyber update 270323.pdf
image001.png
image002.png
image003.png
1982
Hi Cristian,
I’ve gone back to them to indicate we would like these numbers asap but obviously this remains
Act
out of our control. I will let you know if we get any further updates asap.
In the instance I cant get anything additional, your final paragraph is spot on – i.e. we’re still
waiting on Latitude.
I’ve attached the latest update we’ve got.
Jeremy
From: Cristian Cornejo <[email address]>
Sent: Monday, 27 March 2023 1:57 PM
Information
To: Julia Wootton <[email address]>; Jeremy Williams
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
Official
Thanks for the quick reply, Julia.
Do you think we could push for a number before the end of the day? It would reflect better on
the Department if we were known to have the latest information, reinforcing the idea that we
are on top of this.
the
If a getting a number before the end of the day is not possible, we can say we’re still working
closely with Latitude, but can’t provide an update number because the data is still being
analysed.
Ngā mihi,
under
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Released
1982
From: Julia Wootton <[email address]>
Sent: Monday, 27 March 2023 1:26 pm
To: Cristian Cornejo <[email address]>; Jeremy Williams
Act
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: RE: Newshub - Update on Latitude hack
I’ve been in touch with Latitude this morning asking for an update on numbers. They don’t have
anything further at this stage as they are still analysing the dataset.
From: Cristian Cornejo <[email address]>
Sent: Monday, 27 March 2023 1:25 pm
To: Julia Wootton <[email address]>; Jeremy Williams
Information
<[email address]>
Cc: Maria Robertson <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Media Internal Affairs <[email address]>
Subject: FW: Newshub - Update on Latitude hack
Importance: High
Kia ora Jeremy,
Official
I’m reaching out to you in Julia’s absence.
the
Following and update from Latitude Finance on how many passports, driver's licenses etc were
compromised in their security breach, we’ve had a couple of media outlets reaching out to ask if
we can provide an updated number on the amount of NZ passports affected.
Do we have an updated number we can provide
by 4:30pm today?
under
FYI, we provided a number early last week, the number of affected NZ Passports was 1342 back
then. - https://www.newshub.co.nz/home/technology/2023/03/department-of-internal-affairs-
says-more-than-1300-kiwis-passport-details-stolen-in-massive-hack-on-latitude-financial.html
Thank you!
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Released
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
1982
Act
Information
Official
the
under
Released
To: Media Internal Affairs <[email address]>
Subject: TVNZ query
Hi there,
I see Latitude has just put out an update confirming their hack is worse than initially
thought - and say that 53,000 passports were taken.
1982
Can someone from DIA confirm the number of NZ ones impacted if it's changed from last
week?
Act
Cheers,
Information
Official
the
under
Released
Latitude Group Holdings Ltd
ACN 604 747 391
Level 18, 130 Lonsdale St,
Melbourne VIC 3000
latitudefinancial.com
27 March 2023
ASX ANNOUNCEMENT
1982
Cybercrime update
From the outset of the cyber-attack on Latitude (ASX: LFS), we have sought to keep our customers, partners,
Act
employees and the broader community as up to date as we can.
This malicious attack on Latitude is under investigation by the Australian Federal Police and we continue to work
with the Australian Cyber Security Centre and our expert cyber-security advisers.
To the best of our knowledge no suspicious activity has been observed in Latitude’s systems since Thursday 16
March 2023.
As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New
Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the
last 10 years.
In addition, approximately 53,000 passport numbers were stolen.
Information
We have also identified less than 100 customers who had a monthly financial statement stolen.
We will reimburse our customers who choose to replace their stolen ID document.
A further approximately 6.1 mil ion records dating back to at least 2005 were also stolen, of which approximately 5.7
mil ion, or 94%, were provided before 2013.
These records include some but not all of the fol owing personal information: name, address, telephone, date of
birth.
Official
Latitude maintains insurance policies to cover risks, including cyber-security risks, and we have notified our insurers
in respect of this incident.
the
We recognise that today’s announcement wil be a distressing development for many of our customers and we
apologise unreservedly.
We are writing to all customers, past customers and applicants whose information was compromised outlining
details of the information stolen and our plans for remediation.
Supporting our customers
under
Latitude is undertaking a comprehensive customer care program to support affected individuals. Some of the steps
we are taking include:
Latitude’s dedicated contact centres are available for affected customers in Australia and New Zealand between
9am – 6pm AEDT/NZST, Monday – Friday.
Hardship support is available via our dedicated contact centres for customers who are in a uniquely vulnerable
position as a result of this cyber-attack.
We have engaged IDCARE, a not-for profit organisation specialising in providing free, confidential cyber incident
information and assistance. If you wish to speak with one of their expert Case Managers, please visit idcare.org or
call (New Zealand) 0800 121 068, 11am – 6pm NZST, Monday – Friday (excluding public holidays) or (Australia)
Released
1800 595 160 (use the referral code LAT23).
Mental Health and Wellbeing Support is available free of charge through our Support Line 0800 808 374 (New
Zealand) or 1800 808 374 (Australia).
The help page on our website is also being kept up to date with the latest information.
Steps you can take to protect yourself
There are immediate precautions that you can take, which include:
• Contacting one of Australia’s credit reporting agencies for a credit report so you can check if your identity has
been used to obtain credit without your knowledge.
• In New Zealand, checking your credit record to confirm if your identity has been used to obtain credit without
your knowledge. For further information, please refer to:
govt.nz/browse/consumer-rights-and-complaints/debt-and-credit-records/check-your-own-credit-report
• Requesting the credit reporting agencies to place a credit ban or suspension on your credit file via
1982
their website or by contacting them directly. Please be aware that you wil not be able to apply for credit while
the ban or suspension is in place.
Be Alert
Act
We urge our customers to be
vigilant with al online communications and transactions, including:
• Staying alert for any phishing scams via phone, post or email
• Ensuring communications received are legitimate
• Not opening texts from unknown or suspicious numbers
• Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor
authentications when available on any online accounts
• Latitude wil not contact customers asking for password or sensitive information
If you are a victim of cybercrime, you can report it at ReportCyber on the Australian Cyber Security Centre website.
If you wish to report a scam or a vulnerability, go to ScamWatch.
Latitude Financial CEO Ahmed Fahour said:
Information
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected
by this incident. We apologise unreservedly.
“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to
them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full
review of what has occurred.
“We urge al our customers to be vigilant and on the look-out for suspicious behaviour relating to their accounts. We
Official
wil never contact customers requesting their passwords.
“We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the
attack and have implemented additional security monitoring as we return to operations in the coming days.
the
“We thank customers and merchant partners for their support and patience. Customers can continue to make
transactions on their Latitude credit card.”
Authorised for release to the ASX by the Board of Directors.
For further information: under
Media
Investor Relations
Mark Gardy
Matthew Wilson
+61 412 376 817
+61 401 454 621
Released
From:
Russell Burnard
To:
John Crawford-Smith
Subject:
Re: Newshub interview and article
Date:
Wednesday, 22 March 2023 9:53:48 am
Attachments:
image001.png
Well done - she did well
1982
Get Outlook for iOS
From: John Crawford-Smith <[email address]>
Sent: Wednesday, March 22, 2023 9:43:09 AM
Act
To: Russell Burnard <[email address]>
Subject: Fwd: Newshub interview and article
FYI
Get Outlook for iOS
From: Maria Robertson <[email address]>
Sent: Wednesday, March 22, 2023 9:31:19 AM
To: Cristian Cornejo <[email address]>; Julia Wootton
<[email address]>
Information
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>
Subject: Re: Newshub interview and article
Thanks Cristian - we did well to pull this together promptly. Good messages out the door.
Thanks for that.
M
Official
the
Maria Robertson| Deputy Chief Executive
Kawai Ki Te Iwi | Service Delivery and Operations
Mobile:
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Logo-test
under
From: Cristian Cornejo <[email address]>
Sent: Wednesday, March 22, 2023 9:23:00 AM
To: Maria Robertson <[email address]>; Julia Wootton
<[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>
Released
Subject: Newshub interview and article
Mōrena koutou,
Please see below FYI the links to
article and Maria’s interview from this
morning about the Latitude Financial breach.
Thanks again to everyone for your help getting this out the door yesterday evening.
article: Department of Internal Affairs says more than 1300 Kiwis' passport details
1982
stolen in massive hack on Latitude Financial
Maria’s interview: Department of Internal Affairs' advice to New Zealanders as thousands of
passport details, driver's licenses stolen in Latitude security breach
Act
Ngā mihi,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
Official
the
under
Released
From:
John Crawford-Smith
To:
Cristian Cornejo; Julia Wootton
Cc:
Media Internal Affairs
Subject:
RE: Newshub
Date:
Tuesday, 21 March 2023 4:07:47 pm
Attachments:
image001.png
image002.png
Importance:
High
1982
Kia ora Cristina,
This looks fine to me however, as it is attributed to Julia think she should see it.
Julia has advised not to release that number so how about.
Act
We are working closely with Latitude to identify impacted passport holders.
Regards
John Crawford-Smith | Principal Advisor
Te Pāhekoheko| Operations
Kāwai ki te Iwi| Service Delivery and Operations
Te Tari Taiwhenua | Department of Internal Affairs
M:
Information
www.dia.govt.nz
Logo-test
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 3:59 pm Official
To: John Crawford-Smith <[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: RE: Newshub
the
Hi John please see a proposed draft response below.
I would check with whoever is leading the relationship with Latitude if it is ok for us to disclose
the number of affected customers.
-STARTS-
under
Kia ora
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia Wootton,
General Manager Services and Access at Te Tari Taiwhenua Department of Internal Affairs.
1.
Why is it considered safe to continue using a passport if the details of this have been
stolen?
Our Department has robust controls that protect passports from identity takeover, including
sophisticated facial recognition technology. This means people cannot get a passport in someone
Released
else’s identity, even if they have their passport details.
It is also not possible to use passport details to travel in someone else’s identity. For
someone to travel using another person’s passport information, they would need the actual
passport, not just the passport details.
People wanting to find more information about what to do if their passport was affected by
the Latitude Financial Services data breach can visit passports.govt.nz/latitude-financial-services-
data-breach/
2.
Is it still possible that impacted customers will need to replace their passports
1982
eventually?
If the passport has been renewed since they provided it to Latitude, there is no need no
need to do anything.
If they have not renewed their passport, there is also no need to replace their passport if it is
Act
still valid.
If someone chooses to replace their passport, the previous one will be cancelled once the
Department receives the application.
Note that a cancelled passport cannot be used for travel or identification purposes. The
person will need to wait until a replacement passport has been issued.
3.
How many NZ based customers of Latitude and associated businesses have been
affected by the cyber-attack according to what Latitude has told the DIA ?
According to our latest information, the number of affected NZ based customers is 1342.
Information
Ngā mihi,
-ENDS-
Thanks!
Cristián Cornejo (he/him)
Official
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
the
Mobile:
dia.govt.nz | Facebook | LinkedIn
under
From: John Crawford-Smith <[email address]>
Sent: Tuesday, 21 March 2023 2:37 pm
To: Cristian Cornejo <[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: RE: Newshub
Released
Kia ora Cristina,
Refer to https://www.passports.govt.nz/latitude-financial-services-data-breach/
1.
Why is it considered safe to continue using a passport if the details of this have been
stolen?
If the passport has been renewed since they provided it somewhere there is no need no
need to do anything.
If they have not renewed their passport, there is also no need to replace their passport if it is 1982
still valid.
If someone chooses to replace their passport, the previous one will be cancelled once the
Department receives the application.
Act
Note that a cancelled passport cannot be used for travel or identification purposes. The
person will need to wait until a replacement passport has been issued.
The Department has robust controls that protect passports from identity takeover, including
sophisticated facial recognition technology.
Someone would need the actual passport, not just the passport details.
If someone’s passport has been lost or stolen, the person must let the Department’s
Passport Office know as soon as possible so we can cancel the passport and protect the
person from any misuse.
Information
2. Is it still possible that impacted customers will need to replace their passports eventually?
Refer above
3.
How many NZ based customers of Latitude and associated businesses have been affected
by the cyber-attack according to what Latitude has told the DIA ?
It is currently 1342
Official
Regards
the
John Crawford-Smith | Principal Advisor
Te Pāhekoheko| Operations
Kāwai ki te Iwi| Service Delivery and Operations
Te Tari Taiwhenua | Department of Internal Affairs
M:
under
www.dia.govt.nz
Logo-test
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 2:21 pm
To: John Crawford-Smith <[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: FW: Newshub
Released
Hi John,
We got some additional questions about the Latitude date breach from another journalist at
Newshub.
The good news is these seem to be a lot more straightforward than the previous ones.
Can you please consider these ones as well while you work to answer the ones we sent to you
earlier?
1982
The deadline for these ones is 4:30pm today. If you think we won’t be able to meet the
deadline, let me know with time and we’ll message the journalist asking for more time.
1. Why is it considered safe to continue using a passport if the details of this have been stolen?
Act
2. Is it still possible that impacted customers will need to replace their passports eventually?
3. How many NZ based customers of Latitude and associated businesses have been affected by
the cyber-attack according to what Latitude has told the DIA ?
Cheers,
Cristián Cornejo (he/him)
Information
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Official
the
From: Media Internal Affairs <[email address]>
Sent: Tuesday, 21 March 2023 2:06 pm
To: Cristian Cornejo <[email address]>
under
Subject: FW: Newshub
From:
@discovery.com>
Sent: Tuesday, 21 March 2023 1:44 pm
To: Media Internal Affairs <[email address]>
Subject: Newshub
Released
Hi guys,
I have a query in relation to the cyber attack on Latitude Financial.
Below is a statement given to a NZ customer of Latitude finance company Gem citing some
information from DIA.
1. Why is it considered safe to continue using a passport if the details of this have been stolen?
1982
2. Is it still possible that impacted customers will need to replace their passports eventually?
3. How many NZ based customers of Latitude and associated businesses have been affected by
the cyber attack according to what Latitude has told the DIA ?
Act
Please come back to me by 430.
Cheers
On 16 March 2023, Latitude Financial
Services
(Latitude)1 advised all customers and the market that it
was responding to a malicious cyber-attack that resulted in the
Information
theft of personal information.
Regrettably, we are writing to you today to confirm that some of
your personal information has been stolen.
We sincerely apologise that this happened. Protecting your
personal information is of the utmost importance to Latitude and
Official
we are taking all necessary steps to secure our platforms.
This letter explains what happened, how we have responded
and outlines further precautionary steps you can take to lower
the
the risk of your information being potentially misused.
What happened?
Latitude is experiencing a malicious cyber-attack that has
under
resulted in a data theft.
While Latitude took immediate action, we understand that the
attacker, via a vendor, was able to steal Latitude employee login
credentials before the incident was contained. The attacker
appears to have used the employee login credentials to steal
personal information.
We have alerted and are working with relevant authorities and
Released law enforcement agencies, including the Australian Cyber
Security Centre, as well as external cyber security experts.
Latitude also notified the Office of the Privacy Commissioner
(OPC) about this incident on 16 March 2023. You have the right
to make a complaint to the
OPC. They are contactable at their
website here privacy.org.nz.
What kind of information has been impacted?
1982
We have so far identified that the incident has resulted in the
following kinds of your personal information being compromised.
We collected this information from you at the time you applied for
Act
credit or sought a quote from Latitude so we could verify your
identity.
· The passport information you supplied which, where
applicable, included your photograph, full name, date
of birth, passport number and dates of issue and
expiry.
· The personal information you supplied during your
application or quote request which, where applicable,
included your full name, address, and date of birth,
and your phone number.
Information
· A photograph of your face provided as part of Latitude’s
identity verification process.
Steps we are taking to help you
Replacement of identity documents
Official
We are currently working with government agencies on the
process to replace your stolen identity document (where
necessary) at no cost to you. In respect of any necessary
replacement of New Zealand driver licences, we are not yet
the
ready for you to contact the Waka Kotahi NZ Transport Agency.
We are working as quickly as possible. We will write to you to
provide tailored information depending on the information stolen
and the requirements of the Waka Kotahi NZ Transport Agency.
under
Important: We are also working with government to determine
which identity documents need to be replaced.
· You may not need to replace your driver licence if only
some details are impacted, rather than a full copy or
image of your driver licence.
· You may also not need to replace your identity document
if you have renewed or replaced it since the time that
you provided it to us.
·
Released For New Zealand passport holders involved in this
incident, the Department of Internal Affairs (DIA) has
confirmed that impacted passports are still safe to use.
Further information is available at passports.govt.nz
--
1982
wbd.com
Act
Information
Official
the
under
Released
From:
Cristian Cornejo
To:
Julia Wootton; Maria Robertson
Cc:
John Crawford-Smith; Media Internal Affairs; Sean O"Neill
Subject:
RE: TV3 AM show media request
Date:
Tuesday, 21 March 2023 4:12:22 pm
Attachments:
image001.png
image002.png
image003.png
1982
Thanks for your feedback on this, Maria and Julia.
I’ll send you a new version shortly.
Cristián Cornejo (he/him)
Act
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: Julia Wootton <[email address]>
Sent: Tuesday, 21 March 2023 4:06 pm
To: Cristian Cornejo <[email address]>; Maria Robertson
<[email address]>
Official
Cc: John Crawford-Smith <[email address]>; Media Internal Affairs
<[email address]>; Sean O'Neill <Sean.O'[email address]>
Subject: RE: TV3 AM show media request
the
Hi team
Some thoughts from me below in red
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 3:42 pm
under
To: Maria Robertson <[email address]>; Julia Wootton
<[email address]>
Cc: John Crawford-Smith <[email address]>; Media Internal Affairs
<[email address]>; Sean O'Neill <Sean.O'[email address]>
Subject: FW: TV3 AM show media request
Importance: High
Kia ora Julia and Maria,
Please see below a draft response to Newshub’s first media enquiry about the Latitude Financial
Released
Services data breach for your comments and approval.
There is a second enquiry that I will be sending to you shortly for the same purposes.
I’d appreciate if you could get back to us asap on this, as both enquiries have deadlines within
the next hour.
A big thank you to @John Crawford-Smith who put together all the info for the response.
-STARTS-
1982
Kia ora
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia
Wootton, General Manager Services and Access at Te Tari Taiwhenua Department of
Act
Internal Affairs.
1. Who should we be giving our passports to?
The primary purpose of the New Zealand Passport is to facilitate travel . We understand
that people do use it as a form of identification but urge passport holders to exercise
caution and enquire about how any copies of any of their identity documents are stored,
shared and used when supplying this information to third parties.
Our advice is for people to keep their passport secure while they are using it, store it
safely away from view when they are not, and never hand it over as a guarantee.
Additional tips for keeping your passport safe are available from
Information
passports.govt.nz/travel-information/ and safetravel.govt.nz/passports-and-visas.
2. What is your advice to companies who request our passport information?
The New Zealand passport is property of the New Zealand Government. The collection,
storage and use of passport information should comply with the provisions of the Privacy Act
and companies should take particular care not to over collect personal information.
Official
The Privacy Act 2020 governs how organisations and businesses can collect, store, use
and share personal information.
The Privacy Act has 13 privacy principles that govern how businesses and organisations
should collect, handle and use personal information.
the
More information on these principles is available from privacy.org.nz/privacy-act-
2020/privacy-principles/.
If you need more information or advice for companies handling personal information,
please contact the Privacy Commissioner.
under
We also suggest that businesses investigate other ways of confirming identity such as a
RealMe verified identity.
RealMe makes it easier for people to access and use online services offered by both
government and the private sector. The service has been created to build trust and
confidence by adhering to New Zealand Government security, identity and privacy
legislation.
Please visit realme.govt.nz/ for more information.
3. Are employees legally obligated to give up this information?
Please see response to question number two. ?? I don’t understand this response
Released
4. If passport information has been stolen through hacking, should you get a
new one?
In relation to the Latitude Financial Services data breach we have assessed the risk and
determined that people do not need to apply for a new passport. A passport cannot be
renewed with just the information from the passport book alone and DIA has robust
processes in place to determine that only those who should be entitled to a new
passport are able to get one.
1982
No, people don’t need to get a new passport.
If a person’s passport has been renewed since they provided it to the company or
institution that has been compromised in the cyberattack, there is no ned no need to do
anything.
Act
If they have not renewed their passport, there is also no need to replace the passport if
it is still valid.
If they choose to replace their passport, the previous one will be cancelled once the
Department receives the application.
Please note that a cancelled passport cannot be used for travel or identification
purposes. The person will need to wait until a replacement passport has been issued.
For more information about what to do if your passport was affected by the Latitude
Financial Services data breach, please visit passports.govt.nz/latitude-financial-services-
data-breach/
Information
5. Why are companies/organisations allowed to request passport information?
Please see response to question number two.
6. Why or why isn't that ethical?
We do not believe it’s the Department’s place to answer this question.
7. Additional comments Official
No additional comments.
Ngā mihi,
the
-ENDS-
Cheers,
Cristián Cornejo (he/him)
under
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Released
From: John Crawford-Smith <[email address]>
Sent: Tuesday, 21 March 2023 3:36 pm
To: Cristian Cornejo <[email address]>
Subject: RE: TV3 AM show media request
Kia ora Cristian,
1982
Looks fine to me
Regards
Act
John Crawford-Smith | Principal Advisor
Te Pāhekoheko| Operations
Kāwai ki te Iwi| Service Delivery and Operations
Te Tari Taiwhenua | Department of Internal Affairs
M:
www.dia.govt.nz
Logo-test
Information
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 3:34 pm
To: John Crawford-Smith <[email address]>
Subject: RE: TV3 AM show media request
Hi John,
Official
I’ve drafted the response below based on the information you put together for us.
In this case we think less is probably more, so I’ve worked to provide answers that make sense
without going into too much detail that might confuse audiences or prompt additional questions
from the journalist.
the
Please let me know if you are happy with it and I’ll send it to Julia and Maria for approval.
-STARTS-
Kia ora
under
Thanks for your enquiry. Please see our answer below, which can be attributed to Julia Wootton,
General Manager Services and Access at Te Tari Taiwhenua Department of Internal Affairs.
1.
Who should we be giving our passports to?
Our advice is for people to keep their passport secure while they are using it, store it safely away
from view when they are not, and never hand it over as a guarantee.
Additional tips for keeping your passport safe are available from passports.govt.nz/travel-
information/ and safetravel.govt.nz/passports-and-visas.
Released
2.
What is your advice to companies who request our passport information?
The Privacy Act 2020 governs how organisations and businesses can collect, store, use and share
personal information.
The Privacy Act has 13 privacy principles that govern how businesses and organisations should
collect, handle and use personal information.
More information on these principles is available from privacy.org.nz/privacy-act-2020/privacy-
principles/.
If you need more information or advice for companies handling personal information, please
contact the Privacy Commissioner.
1982
We also suggest that businesses investigate other ways of confirming identity such as a RealMe
verified identity.
RealMe makes it easier for people to access and use online services offered by both government
Act
and the private sector. The service has been created to build trust and confidence by adhering to
New Zealand Government security, identity and privacy legislation.
Please visit realme.govt.nz/ for more information.
3.
Are employees legally obligated to give up this information?
Please see response to question number two.
4.
If passport information has been stolen through hacking, should you get a new one?
No, people don’t need to get a new passport.
If a person’s passport has been renewed since they provided it to the company or institution that
Information
has been compromised in the cyberattack, there is no ned no need to do anything.
If they have not renewed their passport, there is also no need to replace the passport if it is still
valid.
If they choose to replace their passport, the previous one will be cancelled once the Department
receives the application.
Please note that a cancelled passport cannot be used for travel or identification purposes. The
person will need to wait until a replacement passport has been issued.
Official
For more information about what to do if your passport was affected by the Latitude Financial
Services data breach, please visit passports.govt.nz/latitude-financial-services-data-breach/
5.
Why are companies/organisations allowed to request passport information?
the
Please see response to question number two.
6.
Why or why isn't that ethical?
We do not believe it’s the Department’s place to answer this question.
under
7.
Additional comments
No additional comments.
Ngā mihi,
-ENDS-
Cheers,
Cristián Cornejo (he/him)
Released
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
1982
Act
From: John Crawford-Smith <[email address]>
Sent: Tuesday, 21 March 2023 2:23 pm
To: Cristian Cornejo <[email address]>
Subject: RE: TV3 AM show media request
How is this?
Regards
Information
John
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 2:14 pm
To: Maria Robertson <[email address]>; Nicki Le Grice
<[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
Official
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject: RE: TV3 AM show media request
the
Thank you!
I will work with journalist and Nicki to find a time for you to do this.
Cheers,
under
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Released
1982
From: Maria Robertson <[email address]>
Sent: Tuesday, 21 March 2023 2:06 pm
To: Cristian Cornejo <[email address]>
Act
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject: RE: TV3 AM show media request
Hi
Yes, sure thing.
M
Information
Maria Robertson| Deputy Chief Executive
Kawai Ki Te Iwi | Service Delivery and Operations
Mobile:
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Logo-test
Official
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 1:54 PM
the
To: Maria Robertson <[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject: FW: TV3 AM show media request
Importance: under
High
Kia ora Maria,
Please see below an enquiry we’ve got in the context of the Latitude Financial Services data
breach.
John is working on a response, but in the meantime we’re reaching to you because the journalist
has also asked if someone would be available for an interview on passport safety for the AM
Show tomorrow.
I believe the team has already been in touch with you about this, and I’m looking to confirm with
Released
you if you are willing and available to do this interview tomorrow morning.
If you are keen to do the interview, could you please let me know about your availability to drop
by their studio tomorrow morning and I’ll work with the journalist to coordinate.
If you’d rather have someone else do the interview, or decline the interview and just send the
written response John is working on, let me know and we can work on that too.
Thanks!
Cristián Cornejo (he/him)
1982
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Act
Mobile:
dia.govt.nz | Facebook | LinkedIn
From: Rachel Prosser <[email address]>
Information
Sent: Tuesday, 21 March 2023 1:02 pm
To: Cristian Cornejo <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: Re: TV3 AM show media request
Hi all, am on leave but want to note that care is needed with a really
Official
tricky set of questions, which actually go beyond passports to the
department’s role in maintaining the identity management standards
(saying what combination of documents should be required to verify
identity identity). our role in AML CFT regulator which requires
the
vérifications, the future of
Digital identity and our role promoting the IVS / Real Me Verified and
the Confirmation service - organisations who use RealMe verified don’t
need the passport.
Q
Questions 3 and 5 look to privacy principles of necessity.
under
It also looks to the complex issue of data retention and whether passport
data needs to be retained.
It’s not that we cover all of those ; in the timeframe aligning the
department would ne tricky: it’s more being careful that whatever we do
advise isn’t going across other parts of the department advise.
This is a good opportunity to promote Real Me verifies though.
It almost feels like Paul not Maria - I’d check that with her asap.
Released
Get Outlook for iOS
From: Cristian Cornejo <[email address]>
Sent: Tuesday, March 21, 2023 12:35 PM
To: John Crawford-Smith <[email address]>
1982
Cc: Media Internal Affairs <[email address]>; Rachel Prosser
<[email address]>
Subject: FW: TV3 AM show media request
Act
Kia ora John,
I’m reaching out to you in Rachel’s absence. She usually coordinates the responses to media
enquiries and we work with her to get the responses out to journalists.
Please see below an enquiry we’ve got in the context of the Latitude Financial Services data
breach. They are asking for advice on several aspects of passport information sharing.
I know there is some general advice about this on the passports website and that a page has
been specifically set up for the Latitude data breach, but Is there any mor specific lines or advice
that we could use to respond to this enquiry?
Information
Please note the journalist has also asked if someone would be available for an interview on
passport safety for the AM Show tomorrow. We can raise that request with Maria once we’ve
put together our response to the enquiry.
Because they want this to be ready for the AM Show tomorrow, we should work towards
providing the response
before COB today.
Please let me know if you are able to help or point me towards someone who can.
Official
Ngā mihi,
Cristián Cornejo
the
(he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
under
dia.govt.nz | Facebook | LinkedIn
From:
@discovery.com>
Released
Sent: Tuesday, 21 March 2023 11:34 am
To: Media Internal Affairs <[email address]>
1982
Act
Information
Official
the
under
Released
From:
Cristian Cornejo
To:
Rachel Prosser; John Crawford-Smith
Cc:
Media Internal Affairs
Subject:
RE: TV3 AM show media request
Date:
Tuesday, 21 March 2023 1:28:54 pm
Attachments:
image001.png
Thanks Rachel,
1982
You make good points; some of the questions below are probably not ours to answer or go
beyond the issue of passport safety.
I would recommend just providing lines around passport safety advice and perhaps refer the
Act
other ones to someone more suitable like the privacy commissioner?
Ngā mihi,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
Official
From: Rachel Prosser <[email address]>
Sent: Tuesday, 21 March 2023 1:02 pm
To: Cristian Cornejo <[email address]>; John Crawford-Smith <John.Crawford-
the
[email address]>
Cc: Media Internal Affairs <[email address]>
Subject: Re: TV3 AM show media request
Hi all, am on leave but want to note that care is needed with a really
tricky set of questions, which actually go beyond passports to the
under
department’s role in maintaining the identity management standards
(saying what combination of documents should be required to verify
identity identity). our role in AML CFT regulator which requires
vérifications, the future of
Digital identity and our role promoting the IVS / Real Me Verified and
the Confirmation service - organisations who use RealMe verified don’t
need the passport.
Q
Questions 3 and 5 look to privacy principles of necessity.
It also looks to the complex issue of data retention and whether passport
Released
data needs to be retained.
It’s not that we cover all of those ; in the timeframe aligning the
department would ne tricky: it’s more being careful that whatever we do
advise isn’t going across other parts of the department advise.
This is a good opportunity to promote Real Me verifies though.
It almost feels like Paul not Maria - I’d check that with her asap.
1982
Act
Get Outlook for iOS
From: Cristian Cornejo <[email address]>
Sent: Tuesday, March 21, 2023 12:35 PM
To: John Crawford-Smith <[email address]>
Cc: Media Internal Affairs <[email address]>; Rachel Prosser
<[email address]>
Subject: FW: TV3 AM show media request
Kia ora John,
Information
I’m reaching out to you in Rachel’s absence. She usually coordinates the responses to media
enquiries and we work with her to get the responses out to journalists.
Please see below an enquiry we’ve got in the context of the Latitude Financial Services data
breach. They are asking for advice on several aspects of passport information sharing.
I know there is some general advice about this on the passports website and that a page has
been specifically set up for the Latitude data breach, but Is there any mor specific lines or advice
Official
that we could use to respond to this enquiry?
Please note the journalist has also asked if someone would be available for an interview on
the
passport safety for the AM Show tomorrow. We can raise that request with Maria once we’ve
put together our response to the enquiry.
Because they want this to be ready for the AM Show tomorrow, we should work towards
providing the response
before COB today.
Please let me know if you are able to help or point me towards someone who can.
under
Ngā mihi,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
Released
dia.govt.nz | Facebook | LinkedIn
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
From:
Cristian Cornejo
To:
John Crawford-Smith
Cc:
Media Internal Affairs; Russell Burnard; Julia Wootton
Subject:
RE: TV3 AM show media request
Date:
Tuesday, 21 March 2023 12:55:48 pm
Attachments:
image001.png
image002.png
Thanks John,
1982
I will contact Maria asap.
Act
Cheers,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Information
From: John Crawford-Smith <[email address]>
Sent: Tuesday, 21 March 2023 12:45 pmOfficial
To: Cristian Cornejo <[email address]>
Cc: Media Internal Affairs <[email address]>; Russell Burnard <[email address]>;
Julia Wootton <[email address]>
the
Subject: RE: TV3 AM show media request
Ka ora Cristian,
I will start work on this now and suggest contacting Maria while I am doing that re her or
someone else’s availability as I note she is out of the office on ELT away days.
under
Russell and Julia FYI
Regards
John Crawford-Smith | Principal Advisor
Te Pāhekoheko| Operations
Kāwai ki te Iwi| Service Delivery and Operations
Te Tari Taiwhenua | Department of Internal Affairs
M:
Released
www.dia.govt.nz
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
From:
John Crawford-Smith
To:
Cristian Cornejo
Subject:
RE: TV3 AM show media request
Date:
Tuesday, 21 March 2023 2:22:58 pm
Attachments:
Passport media q 21 March.docx
image001.png
image002.png
How is this?
1982
Regards
Act
John
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 2:14 pm
To: Maria Robertson <[email address]>; Nicki Le Grice
<[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject: RE: TV3 AM show media request
Information
Thank you!
I will work with journalist and Nicki to find a time for you to do this.
Cheers,
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Official
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
the
Mobile:
dia.govt.nz | Facebook | LinkedIn
under
From: Maria Robertson <[email address]>
Sent: Tuesday, 21 March 2023 2:06 pm
To: Cristian Cornejo <[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Released
Subject: RE: TV3 AM show media request
Hi
Yes, sure thing.
M
Maria Robertson| Deputy Chief Executive
1982
Kawai Ki Te Iwi | Service Delivery and Operations
Mobile:
45 Pipitea Street | PO Box 805, Wellington 6140, New Zealand | www.dia.govt.nz
Act
Logo-test
From: Cristian Cornejo <[email address]>
Sent: Tuesday, 21 March 2023 1:54 PM
To: Maria Robertson <[email address]>
Cc: Media Internal Affairs <[email address]>; John Crawford-Smith <John.Crawford-
[email address]>; Sean O'Neill <Sean.O'[email address]>; Rachel Prosser
<[email address]>
Subject:
Information
FW: TV3 AM show media request
Importance: High
Kia ora Maria,
Please see below an enquiry we’ve got in the context of the Latitude Financial Services data
breach.
Official
John is working on a response, but in the meantime we’re reaching to you because the journalist
has also asked if someone would be available for an interview on passport safety for the AM
Show tomorrow.
I believe the team has already been in touch with you about this, and I’m looking to confirm with
the
you if you are willing and available to do this interview tomorrow morning.
If you are keen to do the interview, could you please let me know about your availability to drop
by their studio tomorrow morning and I’ll work with the journalist to coordinate.
If you’d rather have someone else do the interview, or decline the interview and just send the
written response John is working on, let me know and we can work on that too.
under
Thanks!
Cristián Cornejo (he/him)
Kaitohutohu Whakawhitiwhiti Matua| Senior Communications Advisor
Te Manu Karere | Communications
Te Tari Taiwhenua | Department of Internal Affairs
45 Pipitea Street | PO Box 805, Wellington 6140
Mobile:
dia.govt.nz | Facebook | LinkedIn
Released
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
1. Who should we be giving our passports to?
2. What is your advice to companies who request our passport information?
3. Are employees legally obligated to give up this information?
4. If passport information has been stolen through hacking, should you get a new one?
5. Why are companies/organisations allowed to request passport information? 6. Why or why
isn't that ethical?
1982
7. Additional comments
Further context can be found in this article:
https://www.newshub.co.nz/home/technology/2023/03/latitude-group-parent-company-of-
Act
genoapay-and-gem-hit-by-cyber-attack.html
--
Information
WBD.COM
Official
the
under
Released
1. Who should we be giving our passports to?
Along with being used for travel, passports are commonly used as a means of identification.
However, it is suggested that people don’t hand their passport over as a guarantee.1
That said, we know that many places ask for passports when providing a service (hotels, employment
agencies etc.) or product and while in theory people consent to providing their passport it is because
they need to do so to receive the service or product.
1982
2. What is your advice to companies who request our passport information?
Investigate other ways of confirming identity such as a RealMe verified identity. RealMe is used by
Act
many New Zealand businesses and government departments which is growing all the time as new
organisations sign up with RealMe.2
If somewhere does need to see a physical passport, then have a process where sighting it and
confirming it meets requirements is recorded rather than taking and retaining a copy. If they still
require a copy, only retain it as long as relevant in keeping with Privacy Principle 9 - an organisation
should not keep personal information for longer than it is required for the purpose it may lawfully be
used.3
3. Are employees legal y obligated to give up this information?
Information
As explained in 1, people don’t have to provide the information; however, this then results in them
not getting the service or product.
4. If passport information has been stolen through hacking, should you get a new one?
People don’t have to. If the passport has been renewed since they provided it somewhere there is no
ned no need to do anything.
Official
If they have not renewed their passport, there is also no need to replace their passport if it is still
valid.
If someone chooses to replace their passport, the previous one wil be cancel ed once the
Department receives the application.
the
Note that a cancelled passport cannot be used for travel or identification purposes. The person will
need to wait until a replacement passport has been issued.4
5. Why are companies/organisations allowed to request passport information?
under
Refer to earlier responses.
6. Why or why isn't that ethical?
This is not for us to answer.
1 https://www.safetravel.govt.nz/passports-and-visas
2
Released
https://www.realme.govt.nz/where-to-use-realme/
3 https://www.privacy.org.nz/privacy-act-2020/privacy-principles/9/
4 https://www.passports.govt.nz/latitude-financial-services-data-breach/
Page 1 of 2
7.
Additional comments
1982
Act
Information
Official
the
under
Released
Page 2 of 2
1982
Act
Information
Official
the
under
Page 1 of 4
Released
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
1982
Act
Information
Official
the
under
Released
Page 4 of 4