Latitude Financial will not pay a ransom to those behind a cyber attack, as the details from 14 million customer records remain at risk of being released.
Latitude has told the stock exchange it has received a ransom demand but will not pay, based on the advice of the federal government and cyber crime experts.
"Latitude will not pay a ransom to criminals," Latitude chief executive Bob Belan said.
"Based on the evidence and advice, there is simply no guarantee that would result in any customer data being destroyed.
"[It] would only encourage further extortion attempts on Australian and New Zealand customers in the future."
Latitude would not reveal the amount of money hackers demanded it pay.
Cybersecurity expert Ryan Ko has backed Latitude's decision not to pay up.
"The advice not to pay is the right one, because if you pay, there's no guarantee that they wouldn't do it to you again," Professor Ko, the head of cyber at the University of Queensland, told the ABC.
As for what happens to the stolen data now, Professor Ko said that is out of Latitude's control.
"Now the criminals will be evaluating the risk of releasing data and how that will incentivise the authorities or the law enforcement agencies to come and take them down.
"Now the ball is basically out of [Latitude's] court, they can't do much except work with the authorities and unfortunately, the consumers are now sitting ducks."
Latitude said the matter is under investigation by the Australian Federal Police and it is also working with the Australian Cyber Security Centre and other experts on its response.
Latitude 'in process' of contacting affected customers
In mid-March, the non-bank lender initially disclosed that more than 330,000 customer records were caught up in a data breach, but that subsequently widened to include many millions of records.
In late March, it was confirmed that 14 million records, including 7.9 million drivers licences, were compromised by the incident.
Today, Latitude said the stolen data detailed in the ransom demand was consistent with the number of affected customers the company had previously disclosed.
"We are in the process of contacting all customers, past customers and applicants whose information was compromised, outlining details of the information stolen, the support we are providing and our plans for remediation," it said, stating that its call centre and customer service operations were now operating as normal.
However, some people reported lengthy wait times or being cut off while on hold when trying to get through to the company.
Latitude told the ABC that, while the customer contact centre is operating at full capacity, it is experiencing a high volume of calls, and encouraged those enquiring about the cyber attack to call a dedicated line on 1300 793 416.
Customers have complained about Latitude's lack of communication in the wake of the attack.
Paying a ransom risks making 'sucker list'
If Latitude had paid the ransom, apart from going against government advice, Professor Ko said it would have made itself a target for further attacks.
"Most of the companies that have paid the ransom internationally have been placed on what the criminals call a 'sucker list'," Professor Ko said.
"The list gets shared around the world and these people, ultimately, will be hit with more ransomware attacks and it never ends.
"So the advice is don't pay and reduce the incentives of gangs to come back again."
The Latitude update comes as federal cyber security minister Clare O'Neil has announced that banks and financial services companies will undertake 'war games' to prepare for future cyber attacks.
Last year's high-profile Medibank cyber attack saw hackers posting stolen customer information to the dark web, after demanding a $15 million ransom from the health insurer.
In response to the Medibank breach, Ms O'Neil said the government was considering making it illegal for companies to pay ransoms to hackers, among other reforms.
"If this is done nationally, then it will be a smart move, because this discourages ransomware gangs to target Australian targets, because there's no way they can get any money so they move on to another country," Professor Ko said.
"However, the reality is the IT services that we use are not just from Australia, so this is were the grey area comes."