This was published 1 year ago
Latitude refuses to pay hackers’ ransom demand
By Colin Kruger
Consumer lender Latitude Financial Group has refused to pay a ransom demand from hackers who stole the details of 14 million consumers last month, but would not say if the criminals have threatened to release the data, which includes driver’s licence details.
Latitude new chief executive Bob Belan yesterday declined to specify how much was demanded.
“Latitude will not pay a ransom to criminals,” he said.
“Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed, and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.
“Our priority remains on contacting every customer whose personal information was compromised and to support them through this process.”
Belan took over as CEO this month from Ahmed Fahour, who took the company public less than two years ago at $2.60 a share. The stock was closed the trading day flat at $1.26 a share.
The stolen information includes the driver’s licence numbers of 7.9 million Australian and New Zealand customers and covers most current and former Latitude customers.
Latitude provides consumer finance services to Harvey Norman, JB Hi-Fi, The Good Guys and Apple, and recently signed up David Jones. The victims include current and former Latitude customers stretching back more than 10 years as well as applicants for its consumer credit services that include Harvey Norman’s interest-free loans.
Latitude’s latest announcement came the same day that Cybersecurity Minister Clare O’Neil said the government has begun a series of cybersecurity exercises with the banking and finance sector because of its importance to the functioning of the economy.
“The groups that are conducting cyberattacks are becoming more professionalised, industrialised, powerful and effective,” she said.
“We’re conducting exercises where we play through what it would look like to have a major bank, for example, come down in a cyberattack.”
Latitude said it has not detected any hacker activity on its systems since March 16. It is still in the process of restoring some of its operating systems following the attack but said its primary customer contact centre was back online and operating at full capacity. The company can also sign up new customers again.
The group is working with the Australian Cyber Security Centre and the incident is being investigated by the Australian Federal Police.
Elliot Dellys, founder and chief executive of Phronesis Security, said the rejection of ransom payments, and government support, were welcome developments.
“Historically, the trend has been for businesses to try and make the problem go away as quickly as possible, regardless of the long-term consequences,” he said.
He cited research by McGrathNicol last year which found that around 80 per cent of Australian businesses hit by a cyber-attack pay the ransom, with an average payment of just over $1 million.
The Latitude hack follows a number of recent major incidents. Optus was the victim of a major cyber breach in September, with hackers obtaining the data of 10 million of its customers.
But Latitude’s attack is starting to resemble Medibank’s incident in October, which was more serious.
In Medibank’s case, criminals were accessing basic account details of 9.7 million current and former customers, as well as health claims data for about 160,000 Medibank customers, 300,000 customers of its budget arm ahm and 20,000 international customers.
The hackers leaked all stolen data onto the dark web after Medibank refused to pay a $15 million ransom.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.