Fallout from Latitude Financial hack grows as millions impacted
The lending company is behind a number of interest-free payment plans at major retailers, boasting of customers getting a response to their application “in as little as 60 seconds”.
The cyber hack at Latitude Financial is shaping up to be one of the largest in Australian history, with new updates placing the breach just behind that of Optus and Medibank.
To date, the ASX-listed company has confirmed almost 8 million Australian and New Zealand driver’s licence numbers were stolen as well as a further 6.1 million customer records, more than 53,000 passport numbers and under 100 customer financial statements.
Many customers have reported limited contact from the financial institution and as the investigation into how the breach occurred continues, customer queries and anxiety are building equally as fast.
Here’s what we know.
Who is Latitude?
Latitude Financial is a major credit card, loan and buy now, pay later provider.
The ASX-listed company has been operating in Australia for over a century, according to its website. In 2015 the business, formerly known as GE, became Latitude Financial. It offers products including digital payments, instalments and lending options.
It was a significant player in the buy now, pay later space until this year when it announced it was ceasing that side of its business – known as LatitudePay – on April 11.
The company is also behind a number of interest-free payment plans at major retailers such as Harvey Norman which boast of customers getting a response to their application “in as little as 60 seconds”.
The company is currently run by chief executive Ahmed Fahour, who has previously held the same role at NAB and more recently Australia Post.
How many customers have been impacted?
This is one of the biggest outstanding questions since the company first announced the breach 11 days ago.
Latitude says it is working through the number of duplicated identification documents compromised to determine the accurate number of customers who have been affected.
On Monday, Latitude confirmed 7.9 million Australian and New Zealand driver’s licence numbers were compromised in the breach.
If the number of driver’s licence details stolen included no duplicates, then that would place the attack as just behind Optus and Medibank.
The Optus and Medibank breaches respectively saw 9.8 million and 9.7 million customer’s details stolen.
What data has been compromised?
- 7.9 million Australian and New Zealand driver’s licence numbers
- 6.1 million customer records (addresses, telephone numbers and dates of birth)
- 53,000 passport numbers
- 3000 copies of Medicare numbers
- Under 100 financial statements
Latitude has flagged that in addition to the 7.9 million driver’s licence numbers, a further 6.1 million records have been stolen. These include personal information such as names, addresses, telephone numbers and dates of birth.
Those 6.1m records date back to 2005, with 94 per cent – or 5.7 million – of those details provided before 2013.
Latitude has been careful in its wording of the breach, initially announcing that 103,000 identification documents and 225,000 customer records were stolen.
In its second update, Latitude clarified those initial figures included 315,000 copies of driver’s licences being stolen, about 10,000 copies of passports and about 3000 copies of Medicare numbers.
How the company defines a customer record and identification document isn’t always clear.
Most financial products typically require a 100 point identification check for an application to proceed. And not all consumers would provide both a passport copy and driver’s licence copy.
In Queensland, for example, a 100-point ID check can be made up of one “primary” document including an Australian visa worth 40 points, a birth certificate worth 50 points, driver’s licence worth 60 points and a passport worth 50 points.
These can be supplemented by a “secondary” document including a change of name certificate, a marriage certificate or a Medicare card, all of which are worth 40 points.
Repeat Latitude customers may have had to provide second, third or fourth copies of some identification documents should they have expired or they changed address.
What is Latitude doing for its customers?
The company has set up what it describes as a customer care program, and signalled that some customers would be provided by hardship support.
The company has an Australian and New Zealand hotline that is open 9am – 6pm Monday to Friday. The hotline is available on 1300 793 416 or from 0800 777 885 from New Zealand.
It has also engaged by industry leader for post cyber attack assistant, not-for-profit organisation IDCARE, which provides advice to people who believed they may have been breached.
IDCARE case managers can be reached on 1800 595 160 (LAT23) or 0800 121 068 for those in New Zealand. Online queries can be directed to IDcare.org
The not-for-profit had received more than 2000 engagements regarding Latitude over the past week, IDCARE managing director David Lacey said.
The advice so far from Latitude has been for customer to:
• Stay alert for any phishing scams via phone, post or email
• Ensuring communications received are legitimate
• Not opening texts from unknown or suspicious numbers
• Change passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications when available on any online accounts
• Latitude will not contact customers asking for password or sensitive information
Customers have also been advised they can take the following precautions:
• Contacting one of Australia’s credit reporting agencies for a credit report so you can check if your identity has been used to obtain credit without your knowledge.
• In New Zealand, checking your credit record to confirm if your identity has been used to obtain credit without your knowledge. For further information, please refer to: govt.nz/browse/consumer-rights-and-complaints/debt-and-credit-records/check-your-own-credit-report
• Requesting the credit reporting agencies to place a credit ban or suspension on your credit file via their website or by contacting them directly. Please be aware that you will not be able to apply for credit while the ban or suspension is in place.
Is a Latitude breach more dangerous than Medibank or Optus?
The general consensus from the industry has been no, however it’s worth noting that Latitude has said some customers have had their financial statements stolen, which provides insight into the spending habits of the customer as well as potentially they’re banking details and address.
The research director of software and research provider ADAPT IT Archie Reed on Monday said: “Information capable of identifying someone can have just as much value as health records about that same person and if used in a malicious way, can be truly damaging.”
“A combination of driver’s licence details and passport numbers are often what’s needed to take out many kinds of services in a victim’s name.”
What happens next?
The Australian Federal Police are investigating the incident.
Cyber Security Minister Clare O’Neil has said the National Coordination Mechanism, a multi-government agency team dealing with cyber attacks, had met five times to assess the Latitude breach.
These external investigations are taking place in addition to Latitude’s own investigation.
Latitude shares, which were halted and suspended initially, have resumed trading, opening at $1.16 on Tuesday.
Law firms Slater and Gordon and Maurice Blackburn have both signalled they are monitoring the Latitude breach. Both firms have investigated similar breaches for class action lawsuits.
A mental health and well-being support line is available on 1800 808 374 or 0800 808 374 in New Zealand.
More Coverage
Read related topics:Medibank
Join the conversation
iPhone 16 review: Apple faces its ‘Barbie moment’
Consumers and Barbie fans will be tickled pink by Apple’s new iPhone colours. But how do the new models stack up, and is buying a Pro still worth it? We take a look.
Read more
Meta urged to regulate youth data use
Meta’s new self-enforced safety standards have drawn attention to its use of young Australians’ private data, argued to be driving harms that are still unchecked.
Read more