The Office of the Australian Information Commissioner and the New Zealand Office of the Privacy Commissioner have launched a joint investigation into the personal information handling practices of Latitude Financial and its group companies. Australian Information Commissioner and Privacy Commissioner Angeline Falk said in a statement that it is the first joint investigation by the two bodies, reflecting the impact of the data breach on individuals in both countries. On March 16, Latitude reported that it had detected “unusual activity on its systems over the last few days that appears to be a sophisticated and malicious cyber-attack”.  It said the attacker used employee login credentials to steal information held by two of its service providers. Initially, it reported that around 103,000 identification documents, mostly drivers’ licences, were stolen from one and 225,000 customer records from the other. In the following days the position worsened, with the company reporting that passport numbers and Medicare numbers were also stolen. Then it reported that close to eight million drivers licence numbers were stolen, as well as more than six million historical customer records dating back to 2005. The matter is already under investigation by the Australian Federal Police and Latitude reported that it is working with the Australian Cyber Security Centre. The OAIC and OPC investigation will focus on whether Latitude took reasonable steps to destroy or de-identify personal information that was no longer required. The OAIC said that if the investigation leads to a finding that Latitude has breached one or more of the Australian Privacy Principles, then it can make a determination that can include requiring the company to take steps to ensure the breach is not repeated. It may also require the company to address any loss or damage. If the investigation finds serious or repeated breaches, the OAIC may seek civil penalties of up to A$50 million through the Federal Court.