Written by staff writer.
Update: 27 March 2023
In a statement, Latitude has reported that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years.
In addition, approximately 53,000 passport numbers were stolen.
The company has also identified less than 100 customers who had a monthly financial statement stolen.
A further approximately 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013.
These records include some but not all of the following personal information: name, address, telephone, date of birth.
The company stated, “To the best of our knowledge no suspicious activity has been observed in Latitude’s systems since Thursday 16 March 2023. This malicious attack on Latitude is under investigation by the Australian Federal Police and we continue to work with the Australian Cyber Security Centre and our expert cyber-security advisers.”
In the News
ASX-listed entity Latitude Financial went into a trading halt on March 16 before announcing it was the target of a “sophisticated and malicious cyberattack” earlier this week.
“The attacker appears to have used employee login credentials to steal personal information that was held by two other service providers,” said a letter to customers from COO Andrew Walduck. “Regrettably, the attack has resulted in the theft of some customer data.”
According to the letter, approximately 103,000 identity documents, primarily copies of driver’s licences, were stolen from one vendor used by Latitude Financial. At the same time, hackers obtained 225,000 customer records from a second vendor. The company did not identify the vendors but said the hackers accessed the data using Latitude employee login credentials.
Latitude Financial is digital payments, instalments and lending business. Its website shows it offers a variety of consumer loans, credit cards, and a soon-to-be discontinued buy-now-pay-later product. The company has 2.8 million customers in Australia, and its best-known products include the 28° Global Platinum Mastercard, Gem Visa, and Go Mastercard. Latitude Financial says it detected unusual activity on its systems earlier this week and took immediate action, but not before the hackers obtained the data.
The attack on the financial services company is the highest profile and potentially the most damaging since the Optus and Medibank Private data breaches in 2022. In both cases, the data of more than nine million customers, including primary identification details, was stolen. The Medibank Private case bears similarities to the Latitude case. In the two instances, stolen employee login details and third-party vendors were in the mix.
Garnering fewer headlines, real estate company LJ Hooker was the victim of a cyber-attack in December 2022, where hackers also used a third-party vendor as the attack conduit. In that case, the hackers obtained employee and customer details, including copies of passports, credit cards, and loans data.
Luke Raven, senior compliance manager at digital payments company Cabital, says companies like Latitude Financial need to do better due diligence on the data protection and privacy safeguards their vendors have in place, especially those vendors who handle and store sensitive customer data.
“They (Latitude Financial) should expect to face some tough enquiries from regulators like ASIC and AUSTRAC as to their third-party due diligence procedures,” he said via LinkedIn. “This attack highlights (yet again) the need for Australia to become far better at protecting our citizens and financial system.”
Australia’s Minister for Cyber Security, Clare O’Neil, said via her Twitter account that she was aware of the cyberattack, adding that the Australian Cyber Security Centre (ACSC) and law enforcement authorities were working with Latitude Financial.
“I welcome this cooperation with the ASCS and regulators to minimise the damage resulting from this incident,” the Minister said. “This incident is a reminder for everyone in the community to be vigilant about their personal cyber-security.”
Latitude Financial says it is working to contain the breach and stop the theft of any further data, which includes temporarily shutting down some customer-facing and internal systems.
“We are working with relevant authorities and have engaged cyber security specialists as we do everything in our power to contain the attack,” the letter says. “Latitude apologises customers, particularly those who were impacted.” The company expects to resume trading on the ASX on March 20.