Latitude facing $50m in fines if found negligent in cyber breach

Latitude could face huge fines if found to have been negligent in protecting 14 million customers caught in a cyber breach launched on the credit card and loan provider.

Sarah Ison

@@sarsison

4 min read

8:55PMMarch 27, 2023.

Updated 7:05AMMarch 28, 2023

Latitude chief executive Ahmed Fahour says the company is ‘rectifying platforms’ impacted by the attack. Picture: Ian Currie

Latitude could face fines of up to $50m if found to have been negligent in protecting the 14 million customers caught up in the cyber breach launched on the credit card and loan provider, as the Australian Federal Police investigates the third high-profile data hack in six months.

The ASX-listed company on Monday revealed almost eight million Australian and New Zealand driver’s licence numbers had been stolen, along with more than six million records, 53,000 passport numbers and just under 100 financial documents.

Of the 6.1 million records stolen, about 5.7 million were provided before 2013, with some dating as far back as 2005.

The Latitude revelation came as Australian gambling giant Crown revealed it was investigating its own potential data breach after Russian ransomware gang Cl0p posted on the dark web that it had compromised 130 companies’ data, of which Crown was one.

“We were recently contacted by a ransomware group who claim they have illegally obtained a limited number of Crown files. We are investigating the validity of this claim as a matter of priority,” a Crown spokesman told The Australian.

Latitude chief executive Ahmed Fahour said the company was “rectifying platforms” impacted by the attack earlier this month and had put in place “additional security monitoring” of its data.

“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly,” he said.

“We urge all our customers to be vigilant and on the lookout for suspicious behaviour relating to their accounts. We will never contact customers requesting their passwords.”

He said customers could continue to make transactions on their Latitude credit cards.

Latitude Financial data breach impacts 7.9 million customers

The loan company, which offers services to customers buying goods at stores such as Harvey Norman, JB Hi-Fi and the Good Guys, raised alarm over a cyber attack earlier this month, which it originally believed had affected 330,000 customers.

Nigel Phair, from the UNSW Institute of Cyber Security, said it was clear Australian organisations were simply “not investing the time or resources into competent cyber security risk management”.

“In the case of Latitude, their initial communications were horrible,” he said.

“The fact is, organisations just need to give a damn.”

Mr Phair said companies that used Latitude had to bear some responsibility and look at their risk management plans around third parties.

In response to the numerous high-profile data breaches last year, Attorney-General Mark Dreyfus introduced legislation to increase maximum fines from $2.2m to $50m or 30 per cent of a company’s adjusted turnover, depending on which was higher.

A company could also face paying three times the value of any benefit obtained through the misuse of information.

“Companies which fail to take adequate care of customer data will face much higher penalties,” Mr Dreyfus said at the time.

The Australian understands it would be up to a court to decide whether the company had been negligent and failed to protect the data – some of which it had held for 18 years – and what fine was appropriate.

The incident is currently being investigated by the Australian Federal Police. On March 17, 2023, “the AFP launched a criminal investigation into the Latitude Financial Services cyber incident and are working closely with Latitude Financial Services. The investigation is ongoing and we cannot comment further at this time,” an AFP spokeswoman said.

Latitude finance admit hackers gained access to more data than revealed

Cyber Security Minister Clare O’Neil said the Latitude breach was “deeply concerning”, particularly as it came after the “large-scale loss of identity information” in the Optus and Medibank breaches.

“The government shares the frustration and concern experienced by many citizens who fear their data may have been stolen on multiple occasions,” she said.

“It remains our position that no customer should bear the cost of a data breach and we are working with Latitude Financial to ensure that customers affected by this attack are protected from immediate and future risks.”

The Australian understands Ms O’Neil has already met Mr Fahour to seek more information over how the breach occurred.

Opposition cyber security spokesman James Paterson said it was critical the government and Latitude “work together closely” to ensure seamless and timely information was being provided to customers: “This will be very distressing news for millions of Australians impacted by the attack. That’s why Latitude customers need calm, factual information about what’s happened, how it may impact them, and any steps they should take to protect themselves in the wake of this incident.”

Ms O’Neil confirmed the National Co-ordination Mechanism – which brings together departments from across state and federal governments – had met five times since March 16 in relation to the Latitude incident.

“Latitude Financial is co-operating with government in responding to this incident, and we expect the company to continue to swiftly provide the government with all information it needs,” she said. “Cyber-attacks are a growing threat and will become a more routine part of our lives for years … this incident is another reminder of the importance of improving Australia’s cyber security and privacy settings to minimise impacts of these threats.”

It comes after a privacy review by the Attorney-General’s Department handed to government in February recommended laws to give Australians the power to seek compensation from companies that failed to protect their data.

Australians should also have the power of “erasure” that would allow them to order companies to permanently delete their data, the department recommended.