Latitude Financial hack: 14 million customer documents stolen
The credit card and loan provider reveals more than 14 million customer records have been stolen in a cyber breach.
Latitude Financial has revealed that more than 14 million customer records have been stolen in a cyber breach, with legacy customers dating back as far as 2005 caught up in the attack.
The latest figures on compromised documents had brought the hack up on par with Medibank and Optus, with the number of breached documents more than 42 times the company’s initial announcement.
The ASX-listed credit card and loan provider on Monday reported that 7.9 million Australian and New Zealand driver’s licence numbers had been stolen, as well as 6.1 million records, 53,000 passport numbers and under 100 customer financial statements.
If the number of driver’s licence details stolen included no duplicates, it would represent at least 7.9 million individual customers having been victims of the attack.
Comparatively, that’s 1.9 million less than Optus and Medibank, whose breaches respectively saw 9.8 million and 9.7 million customer’s details stolen.
Industry experts have expressed concern about Latitude’s communication with customers, and have asked why the business had not yet disclosed the exact number of people affected and how the hack took place.
Others have asked whether the attack is still active, as the company is yet to formally rule that out.
Latitude chief executive Ahmed Fahour said Monday’s update was “hugely disappointing” and that his staff were still working around the clock to mitigate risks.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly,” he said.
The 6.1 million stolen records, 94 per cent – or 5.7 million – of which were provided before 2013, included names, addresses, telephone numbers and dates of birth.
The company has promised to reimburse customers the cost of replacing stolen ID documents.
“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document,” Mr Fahour said.
Cyber Security Minister Clare O’Neil described the update as “deeply concerning” and said the National Coordination Mechanism, a multi-government agency team dealing with cyber attacks, had met five times to assess the Latitude breach.
“Cyber attacks are a growing threat and will become a more routine part of our lives for years to come, and this incident is another reminder of the importance of improving Australia’s cyber security and privacy settings to minimise impacts of these threats,” she said.
“The government shares the frustration and concern experienced by many citizens who fear their data may now have been stolen on multiple occasions.”
The update on Monday comes 10 days after Latitude first reported about 330,000 documents had been stolen by a hacker.
The company has not confirmed the total number of customers impacted, but has now confirmed customers who had accessed Latitude’s products up to 18 years ago have been affected.
Adapt IT researcher Archie Reed said Latitude’s lack of clarity surrounding the status of the hack mean it was “entirely possible more customer information could be affected.”
“We haven’t received any more insights from Latitude as to whether the attackers are still in the system, or if they’ve fully identified the full scale of the breach and every point at which data might have been taken,” he said.
In a statement to the ASX, Latitude said that no suspicious activity had taken place over the weekend, with no signs of malice detected since the last update on Thursday, March 23. Last Monday, Latitude reported the cyber attack was still “active”.
Mr Fahour urged customers to be extra vigilant and to use the company’s customer care program. “We urge all our customers to be vigilant and on the lookout for suspicious behaviour relating to their accounts. We will never contact customers requesting their passwords,” he said.
“We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days.”
Latitude shares fell 2.5 per cent to $1.18, valuing the company at $1.23bn, in a slightly higher market on Monday.
The company had reiterated that it had purchased cyber insurance, but whether that insurance would cover this breach could come down to a technicality, said Monash University cyber security professor Nigel Phair.
“It all depends on the wording of their policy … and cyber insurance companies, unsurprisingly, would like to give them as least amount of money as possible,” he said.
While some analysts have estimated Latitude could we wear a cost between $10m – $15m, Mr Phair said he thought it was conservative and that $20m seemed more accurate. He said the going rate for hackers was about $1 per stolen credential.
Mr Phair said Australia required more government intervention in cyber breaches to ensure companies acted appropriately after an attack.
“When it comes to listed companies, if the share price rebounds, there’s even less of an incentive for these organisations to give a damn,” he said.
Asked whether customers should the breach of a financial institution was worse than a private health insurer or telco, he said: “I think all organisations collect large amounts of personal data, and so we need to rethink why companies store data and how they store it.”
“If 60 per cent of that data is more than 10 years old, why is it still being kept?”
Asked the same question, Mr Reed said: “Information capable of identifying someone can have just as much value as the health records of that person and, if used in a malicious way, can be truly damaging.”
More Coverage
iPhone 16 review: Apple faces its ‘Barbie moment’
Consumers and Barbie fans will be tickled pink by Apple’s new iPhone colours. But how do the new models stack up, and is buying a Pro still worth it? We take a look.
Meta urged to regulate youth data use
Meta’s new self-enforced safety standards have drawn attention to its use of young Australians’ private data, argued to be driving harms that are still unchecked.