Personal imitation — deleting data to minimise identity theft risks

Holding on to personal information for too long increases risks associated with cyber incidents, and emerging technologies expand the risks of exploitation of personal information for identity theft. What can we learn from the recent Latitude Financial Services incident?

Background

In mid-March 2023, Latitude Financial Services reported a cyber incident resulting in the theft of personal information belonging to over 14 million customers. The compromised personal information included almost 8 million drivers licence numbers and passports of individuals in Australia and New Zealand.

While affected individuals are still dealing with the repercussions of that major privacy incident, it illustrates why businesses and organisations holding and using personal information are encouraged to think about their own obligations, risks, and potential exposure, especially in light of new technologies.

How long can agencies hold onto personal information?

Information Privacy Principle 9 (IPP9) of the Privacy Act 2020 requires agencies to ensure they don’t hold onto personal information any longer than is lawful:

An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Put simply, once there is no longer a lawful purpose for holding personal information, it must be destroyed, deleted, or otherwise de-anonymised (so that the individual to whom it relates can no longer be identified).

What constitutes a lawful basis for retaining personal information will differ depending on the circumstances. For example, information may be required to deliver services to customers or to comply with legal requirements (such as the retention of certain records for specified time periods).

The Latitude incident provides a clear example of an agency holding too much personal information for too long. When Latitude’s cybersecurity was compromised, there was a staggering amount of personal information available to be stolen. Latitude has reported that some of the stolen information dates back as far as 2005, and much of it relates to former customers.

What happens with stolen personal information?

Personal information obtained in a cyber-attack can often be used to commit identity theft — either by the attackers or by other cyber-criminals who purchase the compromised information online. The more personal information obtained, the more likely that a stolen identity can be impersonated.

Unfortunately, information like drivers licences and passports are particularly useful to cyber-criminals seeking to carry out identity theft, due to the rich combination of key personal details available on those official documents, such as full name, date of birth, photo, drivers licence or passport number, and sometimes even address. When that information is combined with additional publicly available personal information, such as the Electoral Roll or Companies Office, a cyber-criminal may have all they need to assume a stolen identity.  

What about artificial intelligence – does this raise new concerns?

With the rise of generative artificial intelligence (GenAI), being technology that can create images, videos, and other content, there are newfound risks to identity theft. GenAI includes the emerging “deepfake” phenomenon.

GenAI enables people to create realistic visual impersonations in still and moving images, and even makes it possible to replicate voices. Sophisticated GenAI systems could imitate someone posing for a photo or a video and pull together soundbites to mimic their voice.

With this combination of information and technology, a hacker could conceivably create a video of an individual purportedly holding up their photo ID (which the hacker has obtained through a cyber-attack), tricking a biometric identification tool into believing they really are that individual. Similarly, a criminal could use voice-imitation technology to impersonate the victim on a phone call. This is no longer science fiction!

This evolution of GenAI systems may give cyber-criminals even more tools to exploit stolen personal information, to create a realistic embodiment of the victim of identity theft. Once a cyber-criminal has both stolen personal information and a GenAI virtual impersonation of the victim to match, the potential consequences, and resulting harm, are almost endless.

What does this mean for your business or organisation?

One lesson from the attack on Latitude’s systems is the importance of complying with IPP9. Businesses and organisations holding personal information must not keep it for any longer than it is needed. Where your business or organisation collects and holds personal information, it is imperative to have a robust system for frequently checking what is being retained, and then deleting or destroying personal information when the lawful basis for retaining it comes to an end.

Data retention is the “sleeping giant” of data security, and as the ways in which personal information can be accessed, stolen, and used for nefarious purposes grow ever more creative, the consequences for agencies become increasingly serious.

Now is the time for your business or organisation to consider the personal information you hold, and assess whether you might be retaining too much personal information for too long.

Special thanks to Partner Peter Fernando and Senior Associate Louisa Joblin for preparing this article. Duncan Cotterill’s specialist data protection and privacy lawyers can assist your business or organisation review your privacy posture and risks, and help you to strengthen your data retention/destruction practices. For more information, please contact a member of our data protection and privacy team.

 

Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.