Latitude records big profit drop after cyber breach

Latitude Financial loss breach cyber

Latitude Financial has reported a statutory loss of up to $105 million in the first half (H1) of FY23 as a direct consequence of the March cyber-attack, the credit card and loans company revealed in an update to its half-year earnings report.

Latitude said it will set aside up to $53 million (after tax) to cover remediation and associated costs resulting from the cyber breach – one of the biggest data losses for an Australian business in the digital age.

The company conceded in its half-year report, however, that “the range of potential outcomes [for any post-breach remediation cost] is large and there are many unknowns”.

Latitude is also anticipating an up to six-fold drop (from $93 million in H1FY22), year-on-year, in cash earnings, estimating a cash profit of between $15 million and $25 million for H1FY23.

Latitude blamed the financial hit largely on the shuttering of key parts of its business as it sought to limit the impact of the breach. Due to the severity of the incident, the company halted new account originations and “closed or severely restricted” account (debt) collections for around five weeks after the attack – which targeted a third-party data holder – was publicly disclosed.

Regular commercial operations have now been “fully restored”, the company confirmed.

Approximately 7.9 million current and past customers’ as well as applicants’ personal information was exfiltrated in the breach, Latitude revealed last month, which included driver licence numbers, names, addresses and dates of birth, as well as income and expense information.

An additional 6.1 million partial records were also compromised in the breach.

Also last month, Latitude confirmed that it refused to comply with a ransom demand from the hackers behind the breach. Newly appointed chief executive Bob Belan stated at the time that there was “no guarantee that [agreeing to the ransom demand] would result in any customer data being destroyed” and would “only encourage further extortion attempts” on other businesses.