Roughly 14 million customer records stolen from Latitude Financial could be posted to the dark web after the personal finance company refused to pay a ransom request demanded by the group behind last month's cyber attack.
Latitude Financial is still investigating the breach and has been steadily emailing customers letting them know their personal details have been compromised.
But people who believe they were never a Latitude customer are also receiving emails from the company, saying their personal details have been affected.
So how do you know whether you are an indirect customer of Latitude Financial who may be impacted by the cyber breach?
Let's break it down.
What is Latitude Financial?
They're a company that provides personal finance products to customers in Australia and New Zealand, ranging from credit cards, personal loans, car loans and insurance.
Latitude is largely known for offering interest-free credit cards and buy now, pay later schemes with major retailers.
Their current CEO is Bob Belan, who took over from Ahmed Fahour earlier this month. Mr Fahour was at the helm since 2018, and was a previous boss of Australia Post.
Mr Belan has been with Latitude Financial since 2021, and was most recently Latitude's executive general manager of Latitude's personal loans business unit. He co-founded Symple Loans, which was acquired by Latitude in 2021.
You've likely heard about Latitude Financial in the past month due to a cyber attack, when the company disclosed that 330,000 customer details were stolen.
That figure has since increased to 14 million customer records — including 7.9 million drivers licences.
Earlier this week, the company confirmed it had received a ransom request from the criminal group behind the hack, but it would not pay it.
How long has Latitude Financial existed for?
The Latitude Financial brand was born in 2015, but the business itself has existed for decades.
To understand Latitude's history, we need to go back to 1925 when the Australian Guarantee Corporation was founded.
It was one of Australia's oldest finance companies and specialised in personal lending.
Fast forward to 1957 and the Bank of New South Wales (now Westpac) bought 40 per cent of AGC and slowly increased its stake in the business over the years until Westpac bought the company entirely in 1988.
In 2002, Westpac sold AGC to GE Capital, which used AGC to establish the GE Money brand in Australia, which included the GE Consumer Finance and GE Capital Finance businesses.
Two years later in 2004, GE Money purchased Wizard Home Loans from businessman Mark Bouris for $400 million, only to sell it to Aussie Home Loans for an undisclosed amount in 2009.
In 2014, GE Money warned Australian customers it had been affected by an internet security bug known as Heartbleed, which impacted encryption software used to secure online communications globally. Around 10 per cent of businesses in Australia were estimated to have been affected by the bug.
Then in 2015, GE Money sold its Australian financial services business entirely to a group of investors from Deutsche Bank, KKR and Värde Partners for $8.2 billion.
The consortium then rebranded the business to Latitude Financial and enlisted Hollywood actor Alec Baldwin to be the face of their advertising campaigns, telling Australians "you can do better" and spruiking personal loans and credit cards.
Although GE Money no longer exists in Australia, Latitude Financial took on responsibility for GE Money's business — including its products, customers, and data.
Why is the GE Money connection important?
Because some of the data that was stolen from Latitude Financial dates back to 2005 — meaning customers of GE Money between 2005 and 2015 have been affected by the breach.
Latitude Financial told the ASX on March 27 that only 40 per cent of the 7.9 million drivers licence numbers that were stolen were from the past decade — meaning 60 per cent, or around 4.7 million, pre-dated 2013.
But it's not just drivers licences that were stolen — 6.1 million records that contained personal information like names, addresses, phone numbers and dates of birth, with 94 per cent of those (or 5.7 million records) provided prior to 2013, back when Latitude Financial was GE Money.
The GE Money brand offered a range of financial services between the GE Consumer Finance and GE Capital businesses.
GE Capital Finance had a partnership with Coles Group to offer branded credit cards for Coles and Myer — a relationship that was formed when Coles Myer sold its credit card business to GE Capital back in 1995.
Coles and GE Capital partnered in July 2014 to offer the Coles Mastercard credit card and personal finance products.
That agreement came to an end in May 2015, when Wesfarmers purchased GE Capital's 50 per cent stake in Wesfarmers Finance.
Coles now has a 10-year agreement with Citi Australia, which is owned by NAB, after signing a deal to distribute the cards in 2016.
GE Capital also offered credit cards with Myer, which began in 2007 and included the Myer Visa Card and Myer Card Black.
Myer's credit cards have been issued by Macquarie Bank since 2017, after the retail giant's partnership with Latitude was terminated.
GE Capital finance was also used by several major retailers, including Harvey Norman, with the majority of those professional relationships carrying over to the Latitude Financial brand.
What does Latitude Financial offer?
There are four main financial product categories that come under the Latitude Financial umbrella: personal loans, car loans, credit cards and insurance.
Under its credit card offering, Latitude has four options:
- Latitude 28° Global Platinum Mastercard
- Latitude Gem Visa
- Latitude GO Mastercard
- CreditLine
Latitude has previously offered seven other credit cards under its main brand:
- Latitude Low Rate Mastercard
- Latitude Infinity Rewards Visa
- Latitude Mastercard
- Latitude Eco Mastercard
- Buyer's Edge
- Care Credit
Until recently, Latitude also offered a Buy Now, Pay Later service called LatitudePay, which was a rival to AfterPay and allowed customers to spread the cost of their purchases over 10 weekly interest-free payments.
In February this year, prior to the cyber attack, Latitude Financial announced LatitudePay would be closing, and stopped accepting new customers on April 11.
The company said existing customers would still be able to make their payments, and their accounts would be closed on their behalf after their final repayment was made.
Latitude is currently not issuing insurance policies, which covered job loss, credit cards, personal loan and repayment protection insurance.
In August 2022, Latitude announced it had entered an agreement with St Andrew's Insurance Group to sell its Hallmark Insurance business for $20.3 million, saying it wanted to focus on its "core businesses" of payment instalments and consumer lending.
What businesses use Latitude Financial's products?
It's a long list, and it depends which product you're talking about.
Latitude has partnerships with several major retailers through its different credit cards.
For example, Latitude has an exclusive deal with Apple, which allows customers to finance their products through its CreditLine credit card — but it offers interest-free repayments if customers use other Latitude credit cards.
Harvey Norman, Domayne and Joyce Mayne are partnered with the Latitude GO Mastercard credit card.
Latitude's Gem Visa card, which is marketed as "the credit card made for shopping", is partnered with JB Hi-Fi, Amart Furniture and The Good Guys, but has interest-free offers with 91 businesses (or "stores we love"), including:
- Ultra Tune
- Samsung
- Freedom
- BBQs Galore
- Bay Audio
- Bob Jane T-Marts
- Carpet Call
- Michael Hill
- Clark Rubber
That's far from an exhaustive list — you can see the entire list of stores that offer interest-free payments through the Gem Visa credit card here.
Last year, Zenith Payments signed an agreement with Latitude Financial that allowed people to use interest-free instalments through Latitude's credit cards for three of Zenith's brands:
- TravelPay, for interest-free holiday payments
- Rental Rewards, to pay secure rental payments and bonds
- School EasyPay, which allows families to pay their children's school fees
Meanwhile, David Jones is the latest company to take out a credit card deal with Latitude Financial — they signed on after their agreement with American Express came to an end.
The deal was announced in January and is scheduled to begin later this year, but existing customers won't be transferred until 2024.
A David Jones spokesperson has confirmed to the ABC that the deal between the two businesses is going ahead despite the data breach.
"However, subject to the findings of the investigation, we will wait to ensure that all the right data security measures are in place before we go live," they said.
I'm not a customer of Latitude, why are they emailing me?
If you've received an email from Latitude Financial about the data breach, chances are you've had a connection with the company in some way.
Even if you haven't had direct contact with the company as Latitude Financial, if you had any connection with GE Money — whether that be applying for a credit card or personal loan, or actually taking one out — that's likely how you are implicated.
If you've taken out a payment plan with a major retailer like Harvey Norman, Domayne or Apple in recent years, there is a good chance your data has been involved in the Latitude breach.
To find out whether your details have been caught up in the hack, you can get in touch with Latitude Financial here.
Why were my details being kept on file?
This is where we enter the grey area — the laws around financial institution data retention are unclear, and it varies across different jurisdictions and industries.
The Office of the Australian Information Commissioner is responsible for ensuring organisations follow the Privacy Act, and other laws when handling personal information.
The OAIC must be notified when a data breach involving personal information has occurred, and relies on the Australian Privacy Principles as guidelines.
Principle 11.2 of the APPs states that "entities must also take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs".
"This requirement does not apply where the personal information is contained in a 'Commonwealth record' or where the entity is required by law or a court/tribunal order to retain the personal information."
The ABC does not suggest Latitude Financial has infringed on or breached this principle.
Last month, associate professor in regulation and governance at the University of New South Wales, Rob Nicholls, said destroying customer data can be a costly exercise.
"I think part of the problem is that it's cheaper to keep data than to cleanse it properly," he told the ABC last month.
Mr Nicholls also said it raises questions around corporate and data governance, and Latitude should have queried why they had 14 million customer records but only 3 million customers.
How do I know if I've been affected?
If you haven't received an email but have applied for a credit card or loan under the Latitude (or GE Money) brand, your best bet is to get in touch with Latitude directly.
Their customer service centre is back online after it was taken down following the cyber hack, but the company acknowledges there are residual delays — after all, there have been 14 million customer records affected by this breach.
On Tuesday, Latitude said its customer contact centre was operating at full capacity and was experiencing a high volume of calls.
Latitude has established a dedicated line for the cyber attack, which past and present customers can access on 1300 793 416.
Latitude Financial also has a dedicated section on its website for anyone affected by the breach about actions they can take, which you can access here.
Is there a class action against Latitude Financial?
Potentially. Gordon Legal and Hayden Stephens and Associates have joined forces to investigate the possibility of a class action over the data breach, which has compromised the personal information of Latitude Financial customers.
Past and present customers of Latitude Financial are able to register their interest in the class action via a dedicated website, which will provide them with updates on the legal firms' investigation.
Currently, there is no deadline for registering, but people registering must confirm they are a current or former customer of Latitude Financial.