Latitude breach far worse than first thought; 14 million records now feared lost

Latitude Data Lost Breach cyber-attack

Latitude Financial has revealed that upwards of 14 million customer records have been lost – 42 times higher than its initial estimate – including around 7.9 million individual Australian and New Zealand licence details, following a malicious breach of records-holding systems nearly a fortnight ago.

The company, which first reported the cyber breach on Thursday 16 March, at the time reported that a little more than 320,000 records (including 100,000 ID documents, comprising drivers’ licence details and 225,000 customer records) were lost in what it referred to as a “sophisticated and malicious” cyber-attack.

The hack, while not appearing to target Latitude’s systems directly, impacted third-party systems that hold Latitude customer records.

On Monday, 20 March, the company announced it would move to isolate key technology systems and take core platforms holding customers’ personally identifiable data offline.

Despite the systems shut down, Latitude reports that “to the best of [its] knowledge, no suspicious activity has been observed in [its] systems since Thursday 16 March 2023”.

In an announcement to the Australian Securities Exchange (ASX) today, outgoing chief executive Ahmed Fahour said the company is “working around the clock to safely restore [Latitude’s] operations.”

“We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days.”

Of the 7.9 million licence records reported lost, approximately 40 per cent (a total of 3.2 million records) were provided by customers to Latitude over the last 10 years.

A further 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94 per cent, were provided before 2013.

These records, Latitude confirmed, include either individuals’ names, addresses, telephone numbers, and/or dates of birth.

The credit card and loans company also confirmed that an additional 53,000 passport numbers were stolen, as well as around 100 individual customer records of monthly financial statements.

In its latest FY2022 report, released to the market last Friday and which did not include details of the recent cyber incident, Latitude noted that many of the platforms and systems it uses to support its operations are internet-facing.

“Given the evolving risks associated with cyber, the [Latitude] group identifies key data assets and business processes, regularly assesses the effectiveness of its security control environment and designs and implements strategies to mitigate cyber risk to an acceptable level.”

In its statement to the ASX, Latitude conceded the latest announcement would prove “a distressing development for many of its customers”, expressing unreserved apologies to those impacted.

“We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation.”

Fahour added: “It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly.”

“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred.”

Customers were also warned to be on the lookout for suspicious behaviour relating to their Latitude accounts.

The company said it has also undertaken a comprehensive customer care program for affected customers, including a dedicated contact centre, hardship support for vulnerable customers, and targeted assistance IDCARE, a not-for-profit post-cyber incident support service.

While Latitude continues to suspend new customer onboarding, it confirmed that existing customers can still transact using their Latitude credit card.