With the rise of generative artificial intelligence (GenAI), being technology that can create images, videos, and other content, there are newfound risks to identity theft. GenAI includes the emerging “deepfake” phenomenon.
GenAI enables people to create realistic visual impersonations in still and moving images, and even makes it possible to replicate voices. Sophisticated GenAI systems could imitate someone posing for a photo or a video and pull together soundbites to mimic their voice.
With this combination of information and technology, a hacker could conceivably create a video of an individual purportedly holding up their photo ID (which the hacker has obtained through a cyber-attack), tricking a biometric identification tool into believing they really are that individual. Similarly, a criminal could use voice-imitation technology to impersonate the victim on a phone call. This is no longer science fiction!
This evolution of GenAI systems may give cyber-criminals even more tools to exploit stolen personal information, to create a realistic embodiment of the victim of identity theft. Once a cyber-criminal has both stolen personal information and a GenAI virtual impersonation of the victim to match, the potential consequences, and resulting harm, are almost endless.
What does this mean for your business or organisation?
One lesson from the attack on Latitude’s systems is the importance of complying with IPP9. Businesses and organisations holding personal information must not keep it for any longer than it is needed. Where your business or organisation collects and holds personal information, it is imperative to have a robust system for frequently checking what is being retained, and then deleting or destroying personal information when the lawful basis for retaining it comes to an end.
Data retention is the “sleeping giant” of data security, and as the ways in which personal information can be accessed, stolen, and used for nefarious purposes grow ever more creative, the consequences for agencies become increasingly serious.
Now is the time for your business or organisation to consider the personal information you hold, and assess whether you might be retaining too much personal information for too long.
Special thanks to Partner Peter Fernando and Senior Associate Louisa Joblin for preparing this article. Duncan Cotterill’s specialist data protection and privacy lawyers can assist your business or organisation review your privacy posture and risks, and help you to strengthen your data retention/destruction practices. For more information, please contact a member of our data protection and privacy team.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.
