A Kiwi victim of the Latitude Financial cyber-attack is urging people to join a class action and says he was offered an “insulting” $150 compensation.

And more than 10,000 New Zealanders have now signed up
for a class-action lawsuit after the March cyber-attack.

John Campbell of Christchurch told the Herald the incident targeting Gem Visa and Genoapay customers was stressful and caused such disruption he had to take time off work.

He said he felt betrayed after his data was compromised in the March attack – and bizarrely, Latitude recently told the Ombudsman his complaint was “resolved”, when Campbell said it was anything but.

Some customers of Latitude Financial, which included the Gem Visa services Campbell used to use, were told in early May even more personal data was stolen.

For some, hacked information included data used to assess personal loan applications, with details about employment, income, expenses, assets and liabilities.

Campbell said he repeatedly tried contacting Latitude – sometimes getting a response, sometimes not.

“They’ve sent a couple of emails saying this is going to be a long process.”

He said answers were needed on how customer data was secured.

“We tried ringing them one day – we were on the phone for over half a day.”

Campbell said at one point during the process, Latitude offered him $150.

“I don’t want your $150. You’d be better off saving that for your lawyer’s bills,” was his response.

“$150 is a f***ing insult.”

Campbell said he raised concerns with the Insurance & Financial Services Ombudsman (Ifso) and the Privacy Commissioner.

“I think this is disgusting from start to finish,” he told the Ombudsman. “They just tell you they’ve settled it, yet nothing has actually changed for us.”

Gordon Legal said it lodged a claim with the Office of the Privacy Commissioner (OPC) on behalf of all New Zealanders affected by the data breach.

“The class action will be run on an opt-out basis, so it will automatically cover the millions of people affected by the data breach. Around 62,750 affected customers have registered with Gordon Legal to date, including over 11,500 New Zealanders.”

Gordon Legal, based in Australia, said this was the first time the OPC had been asked to consider a representative complaint.

“All NZ-based customers will be covered by this claim. Customers can register with Gordon Legal to receive updates on this claim as it progresses,” the law firm added.

The law firm said the Privacy Commissioner complaint will be held in New Zealand, although a date for that event was not yet confirmed.

Gordon Legal said the OPC was in a joint investigation with the Office of the Australian Information Commissioner.

The law firm expected that investigation would be completed before the representative complaint was heard.

Gordon Legal said it would seek compensation for loss, including for lost identity documents, as well as for emotional stress, inconvenience, frustration and the unease resulting from having personal data stolen.

A Latitude spokesman said the company had written to all affected customers.

He said Latitude had outlined a “comprehensive customer care programme” which included reimbursing the cost of replacement IDs and credit monitoring.

The finance company said it was also offering support for ID advice through specialist provider IDCare and confidential wellbeing support.

“We continue to fully co-operate with the OPC and OAIC,” he added, referring to the joint Australia-New Zealand privacy watchdog investigation.

On its website, Latitude Financial said it had notified or was in the process of notifying about 7.9 million affected individuals in Australia and New Zealand.

It said about 7.9 million driver licence numbers were compromised, as were “some but not necessarily all” of the licence holders’ names, addresses, telephone numbers and dates of birth.

About 103,000 copies of driver licences or passports were compromised, as were approximately 53,000 passport numbers.

It said income and expense information used to assess approximately 900,000 loan applications was compromised.

That included about 308,000 bank account numbers, but not passwords for those accounts.

It said about 143,000 credit card or credit card account numbers, but not card expiry numbers or three-digit CVC or CVV numbers, were also compromised.

An Ifso spokeswoman said she could not comment on complaints regarding individual participants of the Ombudsman scheme.

“However, we can confirm that we received a large number of enquiries from Latitude customers following the cyber-attack on their business earlier this year.”

John Weekes is the online business editor. He has covered courts, politics, crime and consumer affairs. He rejoined the Herald in 2020, previously working at Stuff and News Regional, Australia.