Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
business reporters Kate Ainsworth and Emilia Terzon

Up to 8 million Latitude Financial customers in Australia and New Zealand believed to have data stolen in cyber attack

Latitude now says the data of 7.9 million people has been stolen. (ABC News: John Gunn)

Latitude Financial has confirmed that the cyber hack on its systems this month was far worse than originally thought, with around 8 million people's data believed to be stolen.

The company first announced the hack on March 16 and said it believed the data of around 330,000 people had been accessed.

In an update to the ASX, it said of the 7.9 million drivers licence numbers now thought to have been stolen, around 40 per cent — or 3.2 million — were provided to the non-bank lender in the past 10 years.

The stolen data includes current and former customers of Latitude Financial, however, the company is still assessing if some duplicated customer records mean the true number is lower. 

Latitude said an additional 6.1 million records that were provided to the company dating back to "at least 2005" were also stolen in the cyber attack, with roughly 5.7 million — or 94 per cent — provided prior to 2013.

Latitude Financial was established in 2015 after GE Capital sold its Australian and New Zealand business to a consortium led by Deutsche Bank, KKR and Varde Partners.

Latitude Financial confirms data hack is far worse than expected

It says those records include customers' names, dates of birth, address and telephone numbers.

The company also said around 53,000 passport numbers were stolen, and fewer than 100 customers had their monthly financial statements stolen.

Latitude Financial has not disclosed exactly how many people have been impacted by the cyber breach but it is expected to affect millions of customers.

The company said there had been no suspicious activity in its systems since it first disclosed the hack on March 16.

In a statement, Latitude Financial CEO Ahmed Fahour said the company apologised "unreservedly".

"It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident," he said.

"We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them.

"We are also committed to a full review of what has occurred.

"We urge all our customers to be vigilant and on the lookout for suspicious behaviour relating to their accounts."

Latitude Financial has declined repeated requests for an interview with the ABC since it first disclosed the data breach on March 16.

Minister for Cyber Security Clare O'Neil said the extent of the Latitude breach was "deeply concerning".

Latitude Financial provides short-term loans, credit and travel cards, and buy now, pay later services. (ABC News: James Maasdorp)

"Latitude Financial is cooperating with the government in responding to this incident, and we expect the company to continue to swiftly provide the government with all information it needs," she said in a statement.

"It remains our position that no customer should bear the cost of a data breach, and we are working with Latitude Financial to ensure that the customers affected by this attack are protected from immediate and future risks."

Additional personal information stolen

One Latitude Financial customer who requested anonymity told the ABC a photograph of them used by the non-bank lender for identification purposes had been stolen in the hack.

An email sent to customers by Latitude Financial on March 22 and seen by the ABC showed the company informed some customers that additional personal information had been compromised.

The email read:

We have so far identified that the incident has resulted in the following kinds of your personal information being compromised.

We collected this information from you at the time you applied for credit or sought a quote from Latitude so we could verify your identity.

  • Images of your driver licence which, where applicable, included your photograph, name, address, date of birth, licence number, card number and expiry date.
  • The personal information you supplied during your application or quote request which, where applicable, included your full name, address, date of birth, your email and your phone number.
  • A photograph of your face provided as part of Latitude's identity verification process.

The customer told the ABC they felt "violated" having their photo stolen after being reassured it was only needed to verify her identity.

"Thinking that they [the hackers] have a photo of my face with all of those personal details makes me feel a bit violated in all honesty," they said.

"I understand there's photos on social media, but I've chosen to share those.

"I did protest having to take [a photo] for the application but was assured it was just for identification purposes, so I did it."

Latitude said it would reimburse customers who choose to replace their stolen ID documents.

The Department of Foreign Affairs and Trade has confirmed that passports impacted by the breach are still safe to use.

'Unbelievable' that old data was kept

Cyber security expert at the University of New South Wales, Professor Richard Buckland, said it was "pretty unbelievable" that Latitude Financial kept historical customer data on file that dated back to 2005 when it was still owned by GE Capital.

"Regardless of what the legal requirements are for companies to hold data, it's harmful to the people whose data is being held for so long if it's stolen, because it allows criminals to impersonate them, take out loans in their name, and essentially to do anything you and I can do online," Professor Buckland said.

"A criminal can now go online pretending to be you or me. It's dangerous stuff.

"More than half the data that's been lost seems to have been more than 10 years old. Why on Earth is it still being retained?"

Professor Buckland described the extent of the Latitude Financial hack as "unbelievable". (ABC News: Elena De Bruijne)

Professor Buckland said if it was a legal requirement for Latitude to keep customers' records since 2005, despite changing owners, the legislation needed to be revisited.

"If it is true, that the laws are saying that has to be held for so long, then those laws need to be re-looked at because this is a terrible outcome," he said.

Professor Buckland also queried the federal government's approach to retaining data to share with companies to reduce the risk of fraud.

"That's well-meaning, but I think it's misguided," he said.

"We saw with Optus that the government shared the data on the people who were breached with banks and financial institutions to reduce their risk of future fraud.

"Latitude is a financial institution; I hope they didn't share it with Latitude, but this demonstrates that keeping the data and sharing it more widely is actually not the solution.

"It's just creating future risks."

He said with a growing number of cyber attacks in recent months, "everyone in Australia now has to be wary".

"Our biggest risk now to all of us as citizens, is that other people not involved in the hack will try and come along and trick us and scam us using our fear that we might now be vulnerable because of the hack.

"So this is a time for bunkering down and being suspicious of any communications we get."

Professor Buckland said every Australian must now be wary of cyber attacks. (ABC News: Brendan Esposito)

Australia's largest-known financial institution data breach

Latitude Financial is the latest business to be impacted by a data breach in recent months.

Last week, Rio Tinto told staff in a memo that the personal data of current and former employees may have been stolen by a cybercriminal group through third-party app GoAnywhere.

In February, electronics retailer The Good Guys disclosed that up to 1.5 million customers who had signed up for its loyalty program may have had their personal information hacked after a data breach at a third-party company.

Last September, telecommunications company Optus was hit by a cyber attack that compromised the personal information of 9.4 million customers

A month later, private health insurer Medibank confirmed it had also suffered a data breach, affecting 9.7 million Medibank customers.

In the wake of the Optus and Medibank hacks, the federal government confirmed it would rewrite Australia's cyber laws to give the government more powers to intervene.

The attack on Latitude is the largest-known data breach on a financial institution in Australia.

Earlier this month, ANZ apologised after documents containing confidential personal information from its customers were found dumped in a Perth skip bin, including names, addresses and account numbers.

In 2021, National Australia Bank (NAB) confirmed it would pay more than $685,000 in compensation to customers who had their personal data exposed in a 2019 data breach when their information was uploaded to Google Sheets.

Around 13,000 NAB customers were impacted by that breach.

Westpac was also impacted by a data breach in 2019 when its PayID feature was attacked, exposing the details of around 100,000 customers.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.