Latitude Financial confirms hack involves 14 million customers, some dating back 18 years

Law firms are increasingly confident about the prospect of class actions against Latitude Financial and two firms are co-building a website seeking customers to register.

Joseph Lam and Glenda Korporaal

3 min read

6:33PMMarch 28, 2023

The Australian Business Network

Cyber hacks on Crown and Latitude are ‘absolutely concerning'

It’s all eyes on Latitude as a number of Australian law firms have confirmed they’re circling the financial institution and weighing up the possibility of a class-action lawsuit.

Some experts say the magnitude of the cyber incident has sparked fear among the use of third-party IT services causing companies to scrutinise the security of their external providers.

The Office of the Australian Information Commission overnight confirmed it was in the preliminary stages of an investigation – gathering documents and evidence to consider whether it would pursue the company in the same respect it had Optus which it warned in October could face penalties of “up to $2.2m for each contravention”.

The Australian Federal Police, which opened an investigation into the Latitude breach on March 20, said it would expand Operation Guardian.

Operation Guardian was established in September last year when the AFP began investigating the Medibank breach during which the personal details of 9.7 million people stolen.

The Australian can confirm that similar to Medibank, some victims of the Latitude breach had only inquired about its products. Others caught up were old customers of the company which was known as GE before a transition in 2015.

Latitude Financial chief executive Ahmed Fahour. Picture: Ian Currie

Restructure firm McGrathNicol cyber expert Darren Hopkins said the Latitude breach among others had shone a spotlight on the security practices of third-party service providers.

“In the last six months there has been a big rise in the number of security breaches as a result of third party providers,” he said.

“Their supply chain is seen as being key to these breaches. Companies are now seeing what they can do to stop this from happening and not assuming that their third parties are doing the right thing.”

Mr Hopkins said most of the cyber hacking groups were from Russia and other parts of Eastern Europe, including Belarus.

While many larger companies have stopped paying ransom demands from hackers, some small businesses were opting to pay rather than risk the fallout from their customers’ data being leaked, he said. Larger companies which refused to pay a ransom were finding their customer data being sold on the dark web.

The AFP said it was working with the public and private sector to “scour the internet and known criminal sites” to identify any cyber criminals attempting to sell the data.

“The AFP will take immediate action – through disruption capability or charges – if individuals or groups are selling stolen personal information online,” a statement read.

Law firms Gordon Legal and Hayden Stephens and Associates have established a joint website – www.latitudedatabreach.com.au – which is seeking customers to register if the believe they’re affected.

“We encourage you to register to ensure that you will get regular updates on any potential legal action and compensation that may be sought on your behalf. The information that you provide to us will only be used to assist us in this legal investigation: we will not contact you for any other purpose,” it reads.

The website states that both firms have “extensive experience managing complex class actions” and that they have worked together on “several wage-theft actions in the Federal Court on behalf of junior doctors”.

The joint investigation into Latitude will consider the effectiveness of Latitude’s security measures and protocols.

“We are investigating how a breach of this size could occur. Latitude customers deserve to understand their legal rights and the steps that have been taken to protect their personal data,” Gordon Legal partner James Naughton said.

Latitude declined to comment on the prospect of a class action taking place.

Maurice Blackburn, and Slater and Gordon Lawyers have also confirmed they’re monitoring the situation as both had done so on the Medibank and Optus breaches.

“Slater and Gordon is aware of reports that as many as 14 million customer records may have been affected by the data breach impacting Latitude Financial,” a spokeswoman said.

“We continue to monitor the developments and are particularly concerned by the suggestion that some of those affected may have been customers up to 18 years ago.”

The Australian can confirm the number of customers affected by the breach sits near 14 million, with the subset of 6.1 million customers remaining separate to the 7.9 million Australian and New Zealand driver’s licence numbers which were stolen.

Of those driver's licences, a little over 1 million belonged to New Zealanders; the remaining 6.9 million belonged to customers residing or purchasing Latitude products within Australia.

A spokesman from the OAIC said the office had engaged with Latitude and made “preliminary inquiries regarding their cyber security incident”.

“Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved,” a spokesman said.

“The OAIC is also working with other government agencies to ensure a co-ordinated response.”