The Privacy Commission is telling businesses to “wake up” to the risks of keeping personal data after a mega privacy breach exposed 14 million customer records held for almost two decades.

Deputy Privacy Commissioner Liz MacPherson said data retention - how long records were held - was emerging as a key issue in several recent domestic and global cyberattacks, including the recent Latitude Finance attack.

More than 300,000 personal records and documents were stolen in the cyberattack affecting the New Zealand and Australian finance company’s customers last month.

Those customers of Genoapay, a buy-now-pay-later provider, and Gem Finance, a loan company, both owned by Latitude Finance, had their driver licences and passports exposed.

The company said about 103,000 ID documents, more than 97 per cent of which were copies of drivers’ licences, were stolen from one service provider.

The attacker was reportedly able to obtain employee login credentials and steal the documents before the incident was isolated.

Deputy Privacy Commissioner Liz MacPherson advises businesses and organisations not to collect or hold on to information they don't need. Photo / Mark Mitchell

“Data retention is the sleeping giant of data security. There are consequences for holding on to data you no longer need,” MacPherson said.

“All businesses and organisations can learn from this: Don’t collect or hold on to information you don’t need. The risk is simply too high for your customers and your organisation.”

She said there was no place for a “she’ll be right” attitude from businesses.

“Don’t risk being a hostage to people who make it their day job to illegally extract data.”

Businesses not prepared for digital future - privacy commission

MacPherson said a survey last year found a lot of boards were not prepared for a digital future and had acted as though cyberattacks would not happen to them.

“A key finding from the NZ Institute of Directors’ Director Sentiment Survey report was that a significant proportion of boards were not sufficiently prepared for a digital future and had an ‘it won’t happen to us’ approach,” MacPherson said.

“Wake up to yourselves. We talk to organisations almost every week who are counting the cost of a cyber data breach. Can you risk the impact to your customers and your reputation?”

Some of the records taken had been kept for up to 18 years. Organisations should have a data retention schedule they reviewed regularly, she said.

Organisations should not collect or keep any information unless it was necessary for a lawful reason connected with that organisation’s business, she said.

“The simple discipline of deciding how long information will be retained as you collect it and acting on these decisions will save you and your customers a lot of pain,” the Office of the Privacy Commissioner said.

Commission encourages people to challenge businesses over need for personal info

People should challenge businesses about why they needed to collect and keep their personal information too, the office said.

“If ID is being used as means of verification, ask why it needs to be collected or copied rather than simply sighted and recorded,” MacPherson said.

“If your information is being collected, ask how long it will be kept for and why. The more people challenge, the more likely it is that organisations will change their behaviour.”

Privacy needed to become a core business issue, MacPherson said.

“[It’s] as important as health and safety.”