NewsBite

Latitude confirms hackers’ ransom demand but says it won’t pay up

Latitude Financial Group has confirmed that hackers who stole the details of 14 million customers last month have demanded a ransom, but the company says it won’t pay up.

Latitude Financial refuses to pay cyber-attack ransom demands

Latitude Financial Group has confirmed that hackers who stole the details of 14 million customers last month have demanded a ransom but says it won’t pay up.

The consumer lender told shareholders on Tuesday it didn’t want to “reward criminal behaviour” and said its decision was consistent with the Australian government’s position.

About 7.9 million people had their driver’s licence details stolen, some 53,000 passport numbers were taken and 6.1 million other customer records dating back nearly 20 years were lifted in the hack.

Latitude, which provides consumer finance services to major retailers such as Harvey Norman and The Good Guys, said it didn’t believe paying a ransom would result in the return or destruction of the stolen data.

About 14 million customers are believed to have been affected by the Latitude hack. Picture: iStock
About 14 million customers are believed to have been affected by the Latitude hack. Picture: iStock

The company said it had sought advice from cybercrime experts before deciding that paying a ransom would be “detrimental” to its customers and encourage further cyber attacks across the community.

It did not detail how much was demanded or when the demand was made but it did say the stolen data the attackers detailed as part of their ransom threat was consistent with the number of affected customers.

“Latitude will not pay a ransom to criminals,” the company’s chief executive officer Bob Belan said.

“Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.”

Mr Belan said Latitude’s “priority” was contacting every customer whose personal information was compromised, which the company is still in the process of doing.

He said the company was working on safely restoring its regular business operations.

“I apologise personally and sincerely for the distress that this cyber-attack has caused and I hope that in time we are able to earn back the confidence of our customers,” he said.

The company has said “to the best of our knowledge” there has been no suspicious activity inside Latitude‘s systems since March 16.

Home Affairs Minister Clare O’Neil has confirmed Latitude’s decision not to pay a ransom is consistent with federal government advice. Picture: NCA NewsWire / Martin Ollman
Home Affairs Minister Clare O’Neil has confirmed Latitude’s decision not to pay a ransom is consistent with federal government advice. Picture: NCA NewsWire / Martin Ollman

The Australian Federal Police are investigating the data breach and Latitude has promised to work with the Australian Cyber Security Centre on its response.

The hack was the largest-known data breach of an Australian financial institution and follows massive cyber attacks at Medibank and Optus last year that compromised millions of customers’ personal information.

The separate attackers behind both of those hacks demanded ransoms.

The Medibank hackers leaked the data they stole onto the dark web after the health insurance giant refused to pay the ransom.

In Optus’ case, the person purporting to be behind the attack reportedly retracted their ransom threat.

Home Affairs and Cyber Security Minister Clare O’Neil confirmed Latitude’s decision not to pay a ransom was consistent with Australian government advice.

“Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model,” she said.

“They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals.”

Original URL: https://www.dailytelegraph.com.au/technology/latitude-confirms-hackers-ransom-demand-but-says-it-wont-pay-up/news-story/babee437c4645cd438e991cca41fc595