An investigation into the Latitude Group's personal information handling practice following a cyber attack has begun by Australia and New Zealand's privacy regulators.
The Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) said the decision followed preliminary inquiries into the matter by both regulators.
Latitude Group, a provider of credit cards and personal loans for some of Australia's biggest retailers, said in March that hackers stole nearly 8 million Australian and New Zealand drivers' licence numbers.
Latitude later said it had received a ransom demand but it would not pay as it would be detrimental to customers and cause harm to the broader community by encouraging further attacks.
The breach was New Zealand's largest and one of the biggest in Australia.
Hackers also took about 53,000 passport numbers and more than 6 million customer records, mostly from between 2005 and 2013.
The investigation will check whether Latitude took "reasonable steps" to prevent hackers from getting access and the reasons it had for holding onto the personal information of clients for many years.
If found guilty, Latitude could pay penalties of up to $50 million for each violation.
Latitude shares were down about 1 per cent at $1.29 in early afternoon trade.
In a statement to the ABC, a Latitude spokesman said the company would continue to work with the regulators.
"Latitude has been working closely with the OAIC and the OPC since the cyber-attack and will continue to fully cooperate as they undertake their investigation."
Australia is seeing a rise in cyber attacks since late last year with breaches reported by several companies, prompting the federal government to overhaul cyber security rules in February and set up an agency to oversee government investment and help coordinate responses to hacker attacks.
ABC/Reuters