NewsBite

Advertisement

This was published 1 year ago

Hacked: Latitude confirms details of 14 million consumers stolen

By Colin Kruger

Consumer finance provider Latitude Financial has confirmed that details of 14 million customers were stolen from its computer systems in a cyberattack this month, in what could be the biggest data breach reported in Australia.

The stolen information, which includes the driver’s licence numbers of 7.9 million Australian and New Zealand customers, covers the majority of current and former Latitude customers.

Latitude CEO Ahmed Fahour floated the consumer credit provider on the ASX less than two years ago.

Latitude CEO Ahmed Fahour floated the consumer credit provider on the ASX less than two years ago. Credit: Eamon Gallagher

Latitude would not say if it has been communicating with the hackers.

Latitude provides consumer finance services to Harvey Norman, JB Hi-Fi, The Good Guys and Apple, and recently signed up David Jones. The victims include current and former Latitude customers stretching back more than 10 years, as well as applicants for its consumer credit services that include Harvey Norman’s interest-free loans.

“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly,” Latitude chief executive Ahmed Fahour said in a release to the ASX.

Loading

“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred,” added Fahour, who retires from his position on Friday.

Cybersecurity Minister Clare O’Neil on Monday said the scale of the data theft was very concerning. She triggered the National Coordination Mechanism (NCM) to bring together government agencies to provide support in relation to the attack.

“The government shares the frustration and concern experienced by many citizens who fear their data may now have been stolen on multiple occasions,” she said.

Advertisement

Latitude said it has not detected any hacker activity on its systems since March 16. It is working with the Australian Cyber Security Centre and the incident is being investigated by the Australian Federal Police.

Latitude urged customers to be vigilant and on the lookout for suspicious behaviour relating to their accounts while it restores platforms that have been unavailable during the hack and unable to sign up new customers.

‘It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly.’

Latitude chief executive Ahmed Fahour

The company said about 53,000 passport numbers were also stolen in the attack. About 3.2 million of the driver’s licence numbers that were stolen were provided over the past 10 years.

Anti-money laundering and counter-terrorism financing laws require a financial service provider to keep customer identification records for seven years after they have stopped using its services.

Separately, an additional 6.1 million records, dating back to at least 2005, were stolen, including some but not all of the following: name, address, telephone number and date of birth. The fact the information is very limited in some cases, and old, is expected to make it of little use for any criminals.

Latitude said it would write to all customers and applicants whose information was stolen, outlining details of what was taken and its remediation plans.

Latitude has hinted the source of the attack may have been one of its corporate service providers.

In a communication with affected customers, it said: “While Latitude took immediate action, we understand that the attacker, via a vendor, was able to steal Latitude employee login credentials before the incident was contained.

“The attacker appears to have used the employee login credentials to steal personal information.”

Loading

In a statement on its website, referring to Latitude’s announcement of the hack, US tech services provider DXC Technology denied it was at fault.

“DXC takes the responsibility of protecting the security of its customers’ systems and data very seriously,” it said.

Archie Reed, an executive of tech research and advisory firm Adapt, said Latitude could have done more to keep customer information safe.

“If this breach was indeed made possible by such a fundamental flaw, it would suggest security may not have been a top priority at the company,” he said.

Reed believes the stolen information will most likely be used for fraud.

“The most basic form of fraud the attackers would look to engage in is identity theft – that is, using the sensitive information, which is often relied upon by other big institutions as identifiers, to impersonate the victim who has had their information stolen,” he said.

The Latitude hack follows a number of recent major incidents. Optus was the victim of a major cyber breach in September, with hackers obtaining the data of 10 million of its customers.

The breach will cost Optus at least $140 million, including replacing hacked identity documents, complimentary subscriptions to credit monitor Equifax, and an independent report by Deloitte. The telco is also being investigated by Australia’s privacy and telecommunications watchdogs.

Loading

Medibank’s incident in October was more serious, with criminals accessing basic account details of 9.7 million current and former customers, as well as health claims data for about 160,000 Medibank customers, 300,000 customers of its budget arm ahm and 20,000 international customers.

The hackers began leaking some stolen data onto the dark web and Medibank lost $2 billion from its market valuation at the height of the crisis. It still faces lawsuits and an investigation by the Office of the Australian Information Commissioner over its handling of the incident.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Business

Loading

Original URL: https://www.brisbanetimes.com.au/business/companies/hacked-latitude-confirms-details-of-14-million-consumers-stolen-20230327-p5cviu.html