SYDNEY (Reuters) -The privacy regulators for Australia and New Zealand said on Wednesday they had begun a joint investigation into the personal information handling practices at consumer finance firm Latitude Group, which was hit by a cyber attack.
The Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) said the decision followed preliminary inquiries into the matter by both regulators.
Latitude Group, a provider of credit cards and personal loans for some of Australia's biggest retailers, said in March hackers stole nearly 8 million Australian and New Zealand drivers' licence numbers.
Latitude later said it had received a ransom demand but it would not pay as it would be detrimental to customers and cause harm to the broader community by encouraging further attacks.
The breach was New Zealand's largest and one of the biggest in Australia. Hackers also took about 53,000 passport numbers and more than 6 million customer records, mostly from between 2005 and 2013.
The investigation will check whether Latitude took "reasonable steps" to prevent hackers from getting access and the reasons it had for holding onto the personal information of clients for many years.
If found guilty, Latitude could pay penalties of up to A$50 million ($34 million) for each violation. Latitude shares were down about 1 percent at A$1.29 in early afternoon trade.
Australia is seeing a rise in cyber attacks since late last year with breaches reported by several companies, prompting the federal government to overhaul cyber security rules in February and set up an agency to oversee government investment and help coordinate responses to hacker attacks.
On Wednesday, TechnologyOne Ltd became the latest target after the enterprise software maker said it had detected an unauthorised third-party access to its back-office systems.
($1 = 1.4743 Australian dollars)