On March 16, Australian financial services firm Latitude began alerting customers of a data breach, one it described as being the result of a “sophisticated and malicious cyber attack”. Now, the criminals are asking for a ransom – but Latitude Financial isn’t paying.
If you’ve heard the name, but you’re not sure where, Latitude provides consumer finance services to the likes of JB Hi-Fi, Harvey Norman and The Good Guys, to name a few.
In a statement breaking the news on March 16, Latitude confirmed the theft of customer data. It said personal information that was held by two service providers (Latitude did not identify those service providers) was stolen. It said that in total, about 330,000 customers in Australia and New Zealand were “at risk”. It also said about 96 per cent of all documents breached contained copies of driver’s licences, or at least details, and according to Latitude, less than 4 per cent of the info stolen in the cyber attack contained passport details.
At the time, Latitude said it took immediate action after becoming aware of the cyber attack, but said the attacker was able to obtain Latitude employee login credentials before the incident was isolated. The attacker appears to have then used these employee login credentials to steal the personal information that was held by those two unnamed service providers.
In an update shared to the ASX on March 21, Latitude confirmed that it was a “sophisticated, well-organised and malicious cyber attack which remains active”. Adding:
“As our review deepens to include non-customer originating platforms and historical customer information, we are likely to uncover more stolen information affecting both current and past Latitude customers and applicants. We will provide a further update when we have more to share.”
Keeping the updates coming, Latitude on March 27 confirmed what everyone hoped wasn’t going to be the case.
“As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40 per cent, were provided to us in the past 10 years.”
Latitude said that in addition, approximately 53,000 passport numbers were stolen and just under 100 customers had their monthly financial statements stolen. Also stolen in the cyber attack, Latitude confirmed, was a further 6.1 million records dating back to “at least” 2005 that could include name, address, phone number and/or date of birth of current customers, former customers, or even those that applied to be customers.
Fast-forward to this week, and yesterday, April 12, Latitude shared to the ASX an update that basically said the criminals are asking for money in exchange for data.
“Latitude Financial has received a ransom demand from the criminals behind the cyber-attack on our company,” the announcement read. “Latitude will not pay a ransom.”
This is consistent with advice from the Australian government and security experts. It’s the position of the company that paying a ransom will be detrimental to its customers and cause harm to the broader community by encouraging further criminal attacks.
“We will not reward criminal behaviour, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen,” the company wrote.
Unfortunately, the stolen data the attackers have detailed as part of their ransom threat is consistent with the number of affected customers known by Latitude.
Latitude has engaged the Australian Cyber Security Centre and the Australian Federal Police, and its CEO Ahmed Fahour said he apologises “unreservedly”.
Six months ago, Optus disclosed a data breach, followed closely by Medibank. The ramifications of both are still being felt by customers and it’s likely the situation with Latitude will be continually updated.
This article has been updated since it was first published.