Case Study: Privacy Risk in Australian Financial Services

Case Study: Privacy Risk in Australian Financial Services

The financial services sector sits at the intersection of everything Australian privacy law is designed to protect. Financial institutions hold some of the most sensitive personal information in existence: income details, credit history, investment portfolios, insurance claims, tax file numbers, and in many cases, health information connected to life or income protection products. The individuals whose data they hold are often at their most vulnerable whether it be seeking a loan, making a claim, or planning for retirement. 

That sensitivity makes financial services one of the highest-consequence sectors for privacy failure, and recent Australian cases have made the cost of that failure quantifiable. 

The Latitude Financial Breach: A Case Study in Inherited and Vendor Risk 

In March 2023, Latitude Financial Services disclosed a cyber breach that ultimately affected approximately 14 million people across Australia and New Zealand. The data exposed included roughly 7.9 million driver’s licence numbers, 53,000 passport numbers, and financial statements and account details going back more than a decade. 

At the time, it was the largest theft of personal data from an Australian financial institution ever reported. 

How the Breach Occurred 

The attack exploited credentials stolen from a Latitude third-party service provider with privileged access to Latitude’s systems. Once those credentials were compromised, the attacker was able to move laterally through Latitude’s environment and access data across multiple legacy systems, including data belonging to customers who had long since closed their accounts. 

Several features of this breach are especially instructive. 

The entry point was a vendor, not Latitude itself 

The attacker did not breach Latitude’s perimeter directly. They came in through a supplier. Under APP 11 of the Privacy Act 1988 (Cth), Latitude’s obligation to protect personal information extended to data in the hands of its service providers. The question of whether Latitude had taken “reasonable steps” to ensure that vendor’s access controls were adequate became central to the regulatory inquiry that followed. 

The data went back years 

Latitude was holding personal information relating to customers who had completed their financial relationship with the company years, and in some cases over a decade, earlier. A structured privacy audit, with a focus on data retention, would almost certainly have flagged this as both a legal vulnerability and a security risk. Would action to delete this historic data have prevented the breach? No. Would such action have minimised the impact on Latitude and its customers? Yes.  

Data that is not held cannot be stolen. 

A fragmented legacy environment 

Latitude had grown through acquisition, and its data landscape reflected that history: multiple systems, inconsistent controls, and data stored across environments that had not been subject to a consolidated privacy review. 

It’s the “boring” work that needs to be done with every acquisition: system rationalisation and integration, information rationalisation, and privacy control rationalisation. This work should be done pre-acquisition so the scope of work is known and can be priced accordingly, and post-acquisition to ensure you are getting what you paid for and so you can get the most value out of what you just bought. 

The Financial and Regulatory Fallout 

Latitude declined to pay the ransom demanded by the attacker, but the financial consequences were substantial regardless. Latitude reported that the breach and its response cost the business more than AUD $76 million, covering forensic investigation, legal advice, customer remediation, regulatory response, and operational disruption. 

The Office of the Australian Information Commissioner (OAIC) opened an investigation. Latitude, already operating in a trust-sensitive sector, faced the additional commercial consequence of fielding customer and partner concerns about data security at a time when it was also navigating broader business pressures. 

What a Privacy Audit Would Have Changed 

A structured privacy audit conducted before the breach would have addressed each of the primary failure points.

Vendor risk

A vendor privacy review, consistent with the APP 8 and APP 11 framework, would have assessed whether third-party providers with privileged system access had adequate access controls, contractual privacy obligations, and active oversight processes. The standard contractual clause that “vendors take security seriously” is not a reasonable step. Specific, enforceable obligations — with audit rights — are required.  

Data retention

A data mapping exercise would have identified the scale of historical personal information being held and flagged retention periods that were not legally justified. Data destroyed before a breach cannot be exposed in one.  

Legacy system risk

Post-acquisition environments with fragmented data stores are a known privacy vulnerability. The $5.8 million penalty imposed on Australian Clinical Labs illustrates that acquiring a business means acquiring its data risk. 

The FIIG Securities Case: When Governance Failure Becomes a Penalty Multiplier 

In 2024, ASIC brought proceedings against FIIG Securities Limited, a fixed income broker, following a cyber incident that exposed the personal and financial data of approximately 18,000 clients over a fourteen-month period. 

The Federal Court’s findings were stark. FIIG had failed to maintain adequate cyber security controls despite holding sensitive client information and having clear regulatory obligations under the Corporations Act 2001 (Cth) and its Australian Financial Services Licence conditions. The Court found that the failures were not isolated, but systemic. 

More importantly for financial risk planning, the Court explicitly noted that the cost of implementing appropriate controls before the breach would have been a fraction of the penalty imposed. The FIIG judgment is now a reference point in privacy and cyber risk assessments across Australian financial services: the penalty was estimated to be at least three times what adequate risk management would have cost. 

The Governance Lesson 

The FIIG case is not primarily a technology story. It is a governance story. The failures were visible, in risk registers, in audit findings, in the absence of documented oversight, long before the breach occurred. Had FIIG’s board and executive team treated privacy and cyber risk as a genuine governance obligation, with structured oversight, documented remediation plans, and regular assurance reporting, the outcome would almost certainly have been different. 

For financial services businesses, this has a direct board implication. The FIIG case confirmed that regulators across the spectrum, including ASIC, APRA, and the OAIC, are each prepared to act independently and cumulatively. 

The Pattern Across Financial Services 

Latitude and FIIG are the highest-profile cases, but they are not isolated. Across the financial services sector, the privacy audit findings we find the most and that reoccur most consistently are:

• Vendor contracts without enforceable privacy obligations 

• Retention schedules that do not reflect legal requirements, are incomplete, or simply don’t exist 

• Consents that do not adequately inform customers, are not specific and are outdated. 

• Collection notices that are outdated or incomplete 

• Privacy impact assessments absent from new product development 

• Staff training that is generic and annual rather than role-specific and regular 

What the Financial Services Sector Should Do Now 

The regulatory and commercial environment for financial services privacy in Australia has changed fundamentally. The combination of OAIC enforcement appetite, ASIC’s demonstrated willingness to prosecute cyber governance failures, rising maximum penalties, and a developing class action environment means that privacy risk is now quantifiably financial.  

So, what should you do about it? 

1. Commission a privacy audit covering data mapping, retention schedule review, vendor contract assessment, APP compliance, and governance structure 

2. Implement a privacy impact assessment process for every new product, service, or system involving personal information 

3. Review vendor relationships with the same rigour applied to credit risk or operational risk 

4. Build a documented incident response plan and test it 

5. Report to your board on privacy governance as a standing agenda item 

Privacy in financial services is no longer a compliance function. It is a board-level risk management obligation and increasingly a competitive differentiator for the businesses that get it right. 

Need a hand? Enigma Law is a privacy law firm based in Melbourne, advising financial services businesses across Australia on privacy audits, regulatory compliance, vendor risk, and incident response. Contact jon@enigmalaw.com.au