The attack resulted in almost 8 million Australian and New Zealand driver’s licence numbers being stolen as well as a further 6.1 million customer records, more than 53,000 passport numbers and under 100 customer financial statements.

The non-bank lender did not provide details of the demand, but said it would not pay any ransom.

“We will not reward criminal behaviour, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen,” it said.

“Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks.”

The ASX-listed company said the stolen data the attackers have detailed as part of their ransom threat was “consistent with the number of affected customers disclosed by Latitude” on March 27.

It said the matter is under investigation by the Australian Federal Police. Police said Operation Guardian – a task force investigating the fallout of the Optus breach in September – had been expanded to take in the Latitude incident.

The breach, which followed similar attacks on Medibank and Optus, is one of the largest in Australia’s history.

“I apologise personally and sincerely for the distress that this cyber-attack has caused and I hope that in time we are able to earn back the confidence of our customers,” chief executive Bob Belan said in a statement on Tuesday.

“Our priority remains on contacting every customer whose personal information was compromised and to support them through this process.

“In parallel, our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations.”

Latitude, which offers consumer finance products including credit cards, loans and insurance, said that regular business operations are still being restored, including its customer support centres which are now at full capacity.

The breach has mostly impacted Latitude customers from between 2005 and 2013, who are being urged to stay alert for any phishing scams including suspicious text messages and emails, and to change their passwords. Customers are also being encouraged to check their credit score for any changes or suspicious activity.

The federal government is currently mulling new laws to stop ransom payments, with Cyber Security Minister Clare O’Neil considering making ransom payments illegal. In Australia, there is currently no specific law that prohibits the payment of a ransomware demand.

“Latitude’s decision is consistent with Australian government advice,” Ms O’Neil said on Tuesday.

“Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model.

“They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals.

“I want Australia to be the most cyber secure country in the world by 2030. To do it, we need to stand strong together in the national interest, and deny hackers and cheats any profits from their crimes.”

As The Australian previously reported, Latitude is now facing a potential class action over the cyber breach. Gordon Legal and Hayden Stephens & Associates announced late last month they were exploring a possible class action against the company, launching an online platform for Latitude customers to register interest in joining the legal suit.

Gordon Legal partner James Naughton said the firms would investigate any economic losses or “emotional harm” caused to customers and expected “thousands” of people to register interest in joining a class action.

“It might be the case that for some people it’s an inconvenience or an annoyance; perhaps they don’t have to do anything at all, or all they have to do is change their driver’s licence or update records or something like that … But it might have serious implications for people … who could be exposed to serious harm if their personal information is released publicly,” he told The Australian.

“(This includes those) who don’t want to be contacted or known for legitimate reasons (such as) … victims of domestic violence or other issues.”

Additional reporting: Sarah Ison

More Coverage

Latitude’s new CEO apologises over cyber attack

JARED LYNCH

Latitude facing class action over cyber attack

SARAH ISON, JOSEPH LAM

More related stories

Technology

SafetyCulture slashes annual loss as it eyes AI prize

One of Australia’s hottest start-ups is making inroads on becoming a household name in workplace quality and excellence.

Read more

Technology

‘Data risk’ as lawyers using BYO bots to deal with workload

Lawyers have adopted AI tools to create more work life balance, but how they are using it has raised key questions and risks, according to a new survey.

Read more