Skip to content   Skip to footer navigation 

Why does a business I left years ago still have my data?

Businesses are supposed to delete your personal info after you're no longer a customer, but that doesn't seem to be happening. 

latitude and oaic logos and calendars for 2023 and 2024
Last updated: 28 May 2024
Fact-checked

Fact-checked

Checked for accuracy by our qualified fact-checkers, verifiers and subject experts. Find out more about fact-checking at CHOICE.

Need to know

  • Tom Jordan's personal information was recently stolen in two separate data breaches, even though he hadn't been a customer of either business for many years
  • Australia's privacy commissioner says businesses must take "reasonable steps" to destroy personal information they no longer need
  • Changes to the Privacy Act slated for August are expected to include new consumer protections, including the right to have your data deleted

Tom Jordan is getting more than a little tired of having his sensitive personal information spirited away by cybercriminals. 

In March 2023, he was informed by NGS Super that his details had been hacked – which meant they could be in anyone's hands. 

In a follow-up communication in May 2023, the fund admitted, "The protective measures we had in place were clearly not sufficient."

Tom couldn't agree more, but there was a more troubling issue. 

As he explained to NGS, "I am very annoyed to think that I left your fund back in 2016 and that, with cyber security becoming a major issue, you would see fit to retain my information even though it was of no use to your organisation."  

Tom was even more annoyed when he was contacted by non-bank lender Firstmac in May 2024, who told him his name, address, email address, date of birth, bank account details and driver's licence number had been carried off by thieves. 

They send me an email out of the blue advising that my records with them have been accessed by a third party … Why do they still have those records?

Data breach victim Tom Jordan

That's a lot of credentials for a scammer to work with – which is what generally happens to information taken in a data breach. 

Once again, Tom was flabbergasted that Firstmac still had his information. He hadn't held an account with Firstmac since 2012. 

"They send me an email out of the blue advising that my records with them have been accessed by a third party … Why do they still have those records?" 

Tom is equally put out about the fact that it's up to him to clean up the mess. "They put this back on the consumer to make contact with various parties, such as credit reporting agencies and so on," he says.

Latitude Finance breach, one year on

It seems many businesses are holding on to our data long after we've stopped being a customer. 

In May last year, CHOICE reported on the Latitude Finance data breach, one of the biggest ever in Australia. The records of around 14 million customers going back to 2005 were stolen. 

The older records included those of Latitude's predecessor company, GE Finance, which became Latitude Finance in 2015. GE Money customer data was passed along as part of the deal.

[Businesses] must take reasonable steps to destroy personal information it holds or ensure it is de-identified if it no longer needs the information

Office of the Australian Information Commissioner

A spokesperson for the Office of the Australian Information Commissioner (OAIC), which oversees the Privacy Act, told us at the time that a business "must take reasonable steps to destroy personal information it holds or ensure it is de-identified if it no longer needs the information".

In May 2023, OAIC launched an investigation into the Latitude data breach in partnership with the New Zealand Office of the Privacy Commissioner, saying it would look into whether Latitude "took reasonable steps to destroy or de-identify personal information that was no longer required".

illustration of unlocked file folder with locked folders either side

In last year's Latitude Finance data breach, the records of around 14 million customers going back to 2005 were stolen.

Stalled Latitude class action 

As of May 2024, over 75,000 victims of the breach had registered their interest in a class action lawsuit against Latitude with the firm Gordon Legal, but lawyer Aimee Dartnell says little progress has been made. 

According to the law firm, OAIC has yet to respond to the firm's request that the class action complaints be accepted for further investigation. 

"We've spoken to victims since the breach who are really just living in a state of fear and worry about their data being out there," Dartnell says. 

"People have told us there has been a significant uptick in the number of suspicious emails and calls they've been getting. We've had people tell us that their bank accounts have been hacked or attempts have been made. 

"People facing financial difficulties are dealing with the stress of not knowing where their data has gone and whether they're going to have any recourse." 

People have told us there has been a significant uptick in the number of suspicious emails and calls they've been getting

Aimee Dartnell, Gordon Legal

An OAIC spokesperson tells CHOICE "our investigation into Latitude is ongoing". 

Latitude isn't the only business facing legal action following a data breach. 

In May this year, the Australian Communications and Media Authority (ACMA) filed a case in the Federal Court against Optus on the grounds that its September 2022 data breach, which affected about 10 million current and former customers, was a violation of the Telecommunications Act. The legislation requires telcos to protect customer data from unauthorised access.

The ACMA case comes amidst an ongoing class action against Optus by the law firm Slater and Gordon for the same breach, which involved customers' passport details, as well as Medicare and drivers' licence numbers, among other things. 

CHOICE consumer data advocate Kate Bower says such large-scale breaches and their long-term detrimental impact on millions of Australians shows our privacy laws are struggling to keep up with the rapid rise of cybercrime. 

"We urgently need stronger privacy rights for individuals to be able to better protect themselves and their personal information," says Bower.

'Fair and reasonable' data collection

The federal government has committed to introducing reforms to the Privacy Act in August that could include a right to request that your personal data be deleted. Such a right already exists overseas under the EU's General Data Protection Regulation. 

The government is also considering the introduction of a measure that would enable individuals to sue businesses that breach their privacy rights. But that alone would still leave businesses off the hook.

Keeping customer records on the books for years longer than needed is not fair and reasonable in the eyes of consumers and it's time our laws reflected that

CHOICE consumer data advocate Kate Bower

"The onus should not just be on individuals to protect themselves from cyber attacks and poor business practices," says Bower. 

"CHOICE is calling for reforms that will put the onus back on business to only collect and store the minimum information needed to provide their product or service". 

In particular, we're backing the introduction of a 'fair and reasonable use test' for the collection of our personal data.  

"Keeping customer records on the books for years longer than needed is not fair and reasonable in the eyes of consumers and it's time our laws reflected that," Bower says.

Is cybersecurity getting any better? 

There were around 890 major data breaches in Australia in 2023, as recorded by OAIC, most of them affecting health and finance businesses. Most of these (67%) were due to attacks by cybercriminals. OAIC recorded the same number in 2022. 

Professor Shui Yu, an expert on cybersecurity at University of Technology Sydney, tells CHOICE that corporations have little incentive to improve data breach prevention since it's expensive and doesn't contribute to revenue.

It's also hard to keep the cybercriminals at bay. 

Security won't bring the business financial reward. It doesn't generate revenue. So businesses are not that motivated to invest in security

Professor Shui Yu, University of Technology Sydney

"Security and privacy protection systems all have different problems and vulnerabilities," Yu says. "When we built the system, maybe we didn't predict new technologies such as AI or quantum computing. And sometimes we don't know about our system's vulnerabilities." 

Hackers tend to work harder to figure out these weak points than businesses do to fix them, says Yu. "They are motivated by financial and personal reward."

A similar motivation comes into play when it comes to failing to protect customer information. 

"Security won't bring the business financial reward. It doesn't generate revenue. So businesses are not that motivated to invest in security," says Yu. 

After all, the only real losers in a data breach are its victims. 

In the case of Latitude Finance, Aimee Dartnell of Gordon Legal is hoping their interests will soon be prioritised. 

"What we really want is to find out what happened, what caused the data breach, where the data has gone and whether we can negotiate some form of resolution for victims and some sort of compensation for the stress that they've gone through."

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.

Stock images: Getty, unless otherwise stated.