Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
business reporter Emilia Terzon

Latitude customers are furious: some have had data hacked before through Medibank and Optus

Latitude customer Courtney Randall is awaiting further information on the data breach. (Supplied:  Courtney Randall)

Courtney Randall can only joke about how much of her personal information has been potentially leaked in a breach.

"It's a slap in the face," she said.

"It's gotten to the point where the only sensitive piece of information that hasn't been leaked about me on the internet is my favourite colour."

The Queensland resident took out a small loan with Latitude Financial to pay off her mobile phone bill.

The non-bank lender is the latest major Australian company to have the data of its customers hacked by unknown criminal entities.

Latitude Financial is thought to be one of the first examples in Australia of a major data breach on a financial services company. (ABC News: John Gunn)

More than 300,000 people are so far thought to be impacted by the cybersecurity breach early this week.

At least 100,000 driver's licenses are among the sensitive information stolen, Latitude Financial says.

The company has almost 3 million current customers.

Ms Randall does not know if she is one of the unlucky cohort. Unfortunately, this waiting game is not new to her.

She is a customer of telco Optus and a former one of the private health insurer Medibank, which were also both hacked last year. Ms Randall is furious at this situation and the response from companies and the government.

"I've got no compensation," she said.

"Time and time again, I've received vague emails and no follow-ups."

Two states away, Jorge Gonez has also been here before.

The Victorian resident has struck the terrible trifecta: Optus, Medibank, and now, Latitude Financial. 

"This is our third data breach," he said.

Jorge Gonez doesn't know if his data is among the Latitude breach. (ABC News: Peter Lewis)

Mr Gonez used a broker connected to Latitude Financial to get a car loan with the ASX-listed company.

After finding out about the Latitude hack in the media on Thursday, he is waiting for the company to tell him if he is among the impacted customers. 

Like Ms Randall, he is aware of what he may now need to do now to give himself peace of mind from identity theft or financial crime. There is the hassle of potentially getting his driver's licence re-issued, changing bank accounts, or re-applying for credit cards.

"What I'd like to know is: what information exactly has been accessed so I can take the next steps?" he said.

"I feel left by the side [by Latitude]. Considering that when we got the loan with them, we were asked to provide a lot of information, which we did."

Mr Gonez used a loan from Latitude Financial to buy a car. (ABC News: Peter Lewis)

Latitude sent many customers an email about the breach on Thursday evening. In comments replying to people on social media, the lender's representatives also said its contact centres are "currently unavailable" so it can "ensure no further security risks occur".

"It just absolutely baffles me," Ms Randall said.

"They just send an email brushing over the entire thing."

Latitude Financial did not reply to questions from ABC News about whether its hackers have asked for a ransom. Medibank customers' data was posted to the dark web last year after the insurer refused to cough up to a Russian-linked entity for its stolen data.

The federal government has previously backed the decision of companies not to pay ransoms, and it has also announced plans to overhaul a $1.7 billion cyber security plan set up under the last prime minister Scott Morrison.

A national cyber office — led by a new coordinator for cyber security — will be established under the Home Affairs Department to lead the renewed strategy. 

Speaking on Friday, federal Treasurer Jim Chalmers confirmed Latitude was working with relevant federal authorities on the "substantial cyber breach", which is potentially subject to a criminal investigation.

"People are obviously concerned when we have these kinds of data breaches," he said.

"And there's a hunger for information, and I understand that."

What happened to Latitude's data?

The listed company announced the hack on Thursday morning via the ASX.

It said the attack started from a major vendor the company uses, which the ABC understands was essentially a back-end infrastructure provider. Latitude says the hackers then obtained the login details of a Latitude employee.

Those credentials were then used to steal customer records and driver's licenses from two of Latitude's service providers.

The company has not clarified what it means by service providers, but there is speculation it involves data hosting partners or brokers who onsold the lender's products.

UNSW Institute for Cybersecurity's Associate Professor Rob Nicholls said there was little clarity so far about what sort of information had been stolen by Latitude's hackers. 

"What we don't know is just how detailed those customer records are. Is it just name and address and phone number? Or is it name, address credit card? Number, credit score?"

The academic believes this is one of the first major examples, at least that is known publicly, of a financial services company in Australia being targeted by cybercriminals.

He said attacks on the financial system were particularly worrying because of the sorts of detailed information the sector held together.

"There is that risk of the credit card information, combined with the personalised information, could allow credit card fraud on a very large scale in a very short period of time," he said.

"If I'm a cybercriminal and I got the credit card number yesterday, I'm probably going to try to max out that card by today."

Associate Professor Nicholls said it did not really matter if the breach originated inside Latitude's systems or in service providers that are along its supply chain.

"Having some cyber security in your supply chain is actually just a part of doing business," he said.

"And in the financial services sector, it's a critical part of doing business."

Associate Professor Nicholls believes this could be the first major hack of a financial services company in Australia. (ABC News: John Gunn)

Latitude describes the attack on its systems as "sophisticated" and "malicious".

Customers like Ms Randall want more information from the company about what it was doing to protect her data.

"We have these companies saying to us: we are the victim of this cyber-attack," she says.

"But given the number of attacks in the last couple of months and the fact I've been personally affected by three separate attacks in six or seven months, it is really making me question: Are these sophisticated cybercriminals launching these attacks?

"Or is it just these companies have so little investment in cybersecurity?"

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.