Customer details stolen as Latitude suffers major cyber attack

Hundreds of thousands of drivers licences and customer financial records were stolen in what the credit provider labelled a ‘sophisticated and malicious cyber attack’.

Hayden Johnson and Joseph Lam

4 min read

9:48AMMarch 16, 2023.

Updated 11:13AMMarch 17, 2023

The Australian Business Network

Latitude said the attacker was able to obtain employee login credentials before the incident was isolated. Pictured is outgoing CEO Ahmed Fahour. Picture: Ian Currie

A major credit card, loan and buy now pay later provider has been hit by a “sophisticated and malicious cyber-attack” which has seen near 330,000 documents stolen by a hacker.

ASX-listed Latitude Financial on Thursday revealed 103,000 identification documents and 225,000 customer records were stolen from an attack which it believes to have originated from one of its major vendors.

Analysts say Latitude Financial could wear between $10m to $15m in costs associated with mitigation of the incident, based on the estimated cost of the Medibank Private breach late last year.

Latitude, which is listed on the ASX with a market capitalisation of $1.25bn, finished the 2022 calendar year with 2.8 million customers across Australia and New Zealand.

Its merchant partners include Harvey Norman, Urban Republic and David Jones — which signed a credit card supply deal in January.

This hack is the latest in a growing string of cyber attacks to hit corporate Australia, with Medibank and Optus suffering major breaches last year.

The Latitude Financial breach reportedly took place after a hacker was able to obtain an employee’s login credentials. “The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers,” the company said.

“As of today, Latitude understands that approximately 103,000 identification documents, more than 97 per cent of which are copies of drivers’ licences, were stolen from the first service provider.

“Approximately 225,000 customer records were also stolen from the second service provider.”

Latitude had become popular in Australia, amassing over 2.8 million customers as it boasted of allowing customers to “get a personal loan rate in 2 minutes” that wouldn’t impact their credit score.

Trading of Latitude Financial shares was halted on Thursday, with no trading set to resume before Monday.

Citi analyst Thomas Strong said while it was too early to be definitive, “clearly the uncertainty is a negative” and is likely to affect the share price – last traded at $1.20 – for some time.

Mr Strong made some comparison to Medibank when considering the cost of the breach, noting the nation’s largest private health insurer had estimated a cost of between $25-$35m to protecting customer identities and engage with experts.

“While it is obviously difficult to compare on a comparable basis, short-term costs of $10m to $15m could be a reasonable estimate based on the respective size of the businesses and customer bases, but could be mitigated by cyber insurance,” he said.

Meanwhile Forescout Security Intelligence vice president Rik Ferguson said the hack showed cyber criminals are no longer interested in data encryption.

“Cybercriminals are now focusing on data theft and leak attacks, as we have just witnessed over 200,000 records stolen from Latitude. The end goal for many cybercriminals now is to steal data to sell on the black market,” he said.

It is not yet clear if customers from all arms of Latitude’s business, which counted credit cards, car loans, personal loans, insurance and a buy now pay later product as services, had been impacted. It is also not clear whether former customers have been caught up in the breach.

The Australian newspaper in January revealed corporate customers who had inquired but did not purchase private health policies had been caught up in the Medibank breach.

A spokesman from Maurice Blackburn, which is behind class actions against Optus and Medibank for their respective breaches, said it was closely monitoring the Latitude situation.

Latitude said it was “continuing to respond to this attack and is doing everything in its power to contain the incident and prevent the theft of further customer data, including isolating and removing access to some customer-facing and internal systems”.

“We are working with the Australian Cyber Security Centre, have alerted relevant law enforcement agencies and engaged several cyber security specialists to assist with Latitude’s response,” it said.

Cyber Security Minister Clare O’Neil confirmed that The Australian Cyber Security Centre was working with Latitude to mitigate risks associated with the breach.

“This incident is another reminder for everyone in the community to be vigilant about their personal cyber security and to make use of all the tools and advice available,” she said.

Latitude said some of its customer-facing services would be taken offline as it further investigates the breach.

“Latitude is continuing to respond to this attack and is doing everything in its power to contain the incident and prevent the theft of further customer data, including isolating and removing access to some customer-facing and internal systems,” it said.

The Medibank hack, which is subject to an ongoing Federal Police investigation, saw Russian hackers release the sensitive medical details of thousands of customers into the dark web.

Meanwhile, some 80 per cent of Australia’s large organisations upped their cyber security spend in 2022, a significant jump on prior years, amid the rise in breaches, according to research from global cyber security group Netskope.

The federal government has commissioned a new cyber security strategy to be led by former Telstra chief executive Andy Penn, and has flagged that it may make paying cyber ransoms illegal.

Over the past four years six high-profile corporate victims of attacks – Medibank, Optus, Woolworths, Nine Entertainment, tech group Appen, property valuation firm Landmark White and cosmetics group BWX each did not pay ransom.