Latitude’s new CEO Bob Belan apologises to customers over cyber attack, offers reimbursement for stolen documents
After replacing the colourful Ahmed Fahour as chief executive of Latitude Financial, Bob Belan has moved swiftly to take ownership of Australia’s biggest cyber attack.
Latitude Financial chief executive Bob Belan has taken ownership of Australia’s biggest cyber heist, apologising to more than 14 million of the non-bank lender’s customers who had their personal data stolen during the attack.
Mr Belan - who officially succeeded Ahmed Fahour last Saturday - began sending letters to customers late last week. But given the scale of the attack, the release of the letters has been staggered, with some customers not receiving the communication until Thursday.
In the letter, Mr Belan expressed “deep regret” over the assault, which has eclipsed last year’s high-profile hacks on Medibank and Optus.
It is the first communication that Latitude’s CEO has sent to customers since it disclosed the attack to the ASX three weeks ago. But the company’s chief operating officer Andrew Walduck has written to customers previously updating them on the attack.
“Latitude recently experienced a significant and malicious cyber-attack which resulted in data being stolen from our systems. It is with deep regret that I am sharing with you that some of your personal information was compromised,” Mr Belan wrote.
“As Latitude’s CEO, I want to apologise for the impact that this incident has had on you. Know that we are committed to helping you through this process and hope that, in time, we are able to win back your trust.”
The hackers helped themselves to a raft of highly personal information from Latitude’s customers, including copies of their drivers licences, passports and Medicare numbers – the key ingredients for identity theft and fraud.
Mr Belan said the company would reimburse customers if they chose to replace their licence but did not mention the other documents in the letter.
He urged customers to contact one of Australia’s credit reporting agencies to check if their identity has been stolen and used to obtain credit.
Mr Belan also revealed how cyber criminals infiltrated Latitude’s customer database – which included the personal details of those who sign-up to interest free deals at The Good Guys, Harvey Norman, JB Hi-Fi and other retailers.
“Our investigation has identified that the attacker used compromised login credentials, obtained via a third-party, to access Latitude’s network and steal personal information,” he said.
“We immediately alerted relevant authorities and law enforcement agencies, including the Australian Cyber Security Centre and the Australian Federal Police and engaged external cyber security specialists to work alongside our own teams.
“This crime is now under investigation by the AFP. We also notified the Office of the Australian Information Commissioner and the New Zealand Office of the Privacy Commissioner about this incident on March 16, 2023, and we continue to update them on developments.”
Mr Belan also told customers that had “the right to make complaint” to either Latitude, the OAIC or OPC.
“Please accept my sincere apology. Know that we are working around the clock to restore our systems safely and to ensure that you are supported throughout this process.”
Latitude’s auditor Chris Wooden of KPMG called out its information technology systems, controls and governance when he signed off the company’s accounts in February. Auditors have scrutinised the IT systems of other financial services companies, including CBA, NAB, and ANZ to ensure robust account reporting.
But unlike Latitude, a successful cyber attack has not followed. Most companies now understand it’s not a question of if but when they are hacked, with Australia’s big banks alone fending off millions of sophisticated attacks each day.
KPMG tested Latitude’s governance and higher-level controls “across the IT environment, including those regarding policy design, and review and awareness” weeks before the cyber attack emerged but Mr Wooden did not offer a final verdict on the lender’s practices or mention cyber security specifically.
Latitude’s owners KKR, Deutsche Bank and Varde Partners floated 25 per cent of the company, or about $200m worth of shares, on the ASX in early 2021. It was its third attempt at an ASX listing and its shares have more than halved to $1.25 in that time.
KKR, Deutsche Bank and Varde have maintained a 66.4 per cent stake in the company, with Japan’s Shinsei Bank owning the remaining 10 per cent.
Under Mr Fahour, Latitude hoped to expand its buy now, pay later via a $320m takeover of rival Humm’s BNPL business.
But Humm former chairman and Melbourne powerbroker, Andrew Abercrombie, spoiled the deal, declaring it was “seriously flawed” and managed to convince other shareholders to reject Latitude’s offer. Latitude is now in the process of exiting BNPL entirely.
More Coverage
ASX cops first strike over pay report at testy AGM
The ASX chair acknowledged shareholder anger over a disastrous technology project that sparked a first strike over executive pay at the market operator’s AGM in Sydney.
Iron ore miner to fight Indigenous heritage ruling
Equinox Resources is taking on the WA government and one of the most powerful traditional owner groups in Australia after being refused permission to work on part of its mining lease.