Latitude Financial Services could face a class action lawsuit from some of the 14 million customers who have had their personal information exposed in what has been dubbed Australia’s largest data breach.
Law firms Gordon Legal and Hayden Stephens and Associates announced on Tuesday they would investigate a potential legal action against Latitude over the breach.
On Monday, Latitude revealed that the extent of the breach was much larger than initially reported, with 14 million customers exposed in the attack and data dating back to 2005.
The documents include 7.9m Australian and New Zealand driver’s licence numbers, 53,000 passport numbers, and financial statements. The records – 5.7m of which were held by the company before 2013 – include names, addresses, phone numbers and dates of birth.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly,” Latitude’s chief executive, Ahmed Fahour, said of the breach.
Latitude offers financing direct to customers at stores including JB Hi-Fi, The Good Guys and Harvey Norman.
Gordon Legal partner James Naughton said the firm was investigating how a breach of this size could occur, including the effectiveness of Latitude’s security measures.
“Latitude customers deserve to understand their legal rights and the steps that have been taken to protect their personal data,” he said.
The home affairs minister, Clare O’Neil, said on Monday the incident was “deeply concerning” and the federal government had convened the National Coordination Mechanism to bring together the commonwealth, the states and territories for a response.
The group has met five times since 16 March on the Latitude breach.
“Latitude Financial is cooperating with government in responding to this incident, and we expect the company to continue to swiftly provide the government with all information it needs,” O’Neil said.
“It remains our position that no customer should bear the cost of a data breach and we are working with Latitude Financial to ensure that the customers affected by this attack are protected from immediate and future risks.”
After the two previously largest breaches – Optus and Medibank – the Albanese government passed legislation in November that allows the Office of the Australian Information Commissioner to seek a maximum penalty against businesses of $50m for repeated or serious data breaches, up from $2.2m previously.
Guardian Australia asked O’Neil’s office whether the attack on Latitude was believed to be a sophisticatedone and whether Latitude was reckless in its protection of customer data, but was directed back to Monday’s statement.
In February, the attorney general’s department recommended – in its long-awaited review of Australian privacy law – that in addition to existing requirements that companies only collect what is reasonably necessary and destroy data when no longer required, companies should periodically review the time they hold personal information for.
The report also recommends people be given the right to take legal action as individuals for breaches of their privacy.
The department is accepting feedback on the report until 31 March ahead of the government’s response to the report.