Latitude Financial — a company that issues consumer loans and runs a buy now, pay later scheme used by major retailers — has revealed hackers have stolen the personal information of more than 300,000 customers, including drivers licences.
The non-bank lender told the ASX it had detected unusual activity on its systems "over the last few days" that "appears to be a sophisticated and malicious cyber attack".
The information stolen includes:
- 103,000 identity documents — with 97 per cent of those being copies of drivers' licences from one provider
- 225,000 customer records from the second service provider.
Latitude provides buy now, pay later (BNPL) schemes to a number of major Australian retailers, including Harvey Norman, JB Hi-Fi, David Jones and The Good Guys.
It last month announced it was shutting down that BNPL offering in Australia and New Zealand.
It will continue to provide its main fare of personal credit cards, travel credit cards, and short-term personal loans.
UNSW cybersecurity expert Richard Buckland told ABC News the breach was "very concerning" given the level of information people have to give over to get loans.
"It's precisely the information an attacker needs to take out a loan in your name: the information you use to take out a loan in your name," Professor Buckland said.
Latitude has 2.8 million current customers. It could not tell ABC News whether the hack concerned only their data or potentially former customers too.
Professor Buckland said the company's statement was "a bit coy" about what precisely had been stolen.
He said it was unclear if the drivers licenses' card ID numbers had been accessed, which would make the breach more concerning than simply the cards themselves being stolen.
"This information could be, and will be presumably, shared and shared with other criminals," Professor Buckland said.
"It can be aggregated with other information to build a more accurate picture of you.
"And pieces of information, joined with other pieces of information, become more valuable to criminals.
"It's just more and more information that's available to impersonate you in a range of ways."
Cyber Security and Home Affairs minister Clare O'Neil said Latitude was cooperating with the Australian Cyber Security Centre (ACSC) and regulators "to minimise the damage resulting from this incident".
"Latitude Financial is cooperating with the [ACSC] to support incident response and receive ongoing technical advice," Ms O'Neil wrote on Twitter.
"The [ACSC] is working with Latitude and relevant law enforcement agencies to respond to this cyber security incident.
"The Department of Home Affairs is working with all relevant agencies across government to ensure appropriate support is available to anyone whose data has been exposed."
Despite commitments for greater security measures from the federal government, independent cybersecurity expert Troy Hunt said it will take time before they make a difference in reducing cyber attacks.
"We're not going to see an overnight turnaround, although, anecdotally a lot more organisations have become more aware of their security posture," he said.
"But unfortunately, these things do take time to implement."
He said a rapid change of pace in the cyber security area has meant many businesses are becoming overwhelmed and require support to become more secure.
"I'd like to see more ongoing support from government, we do have some excellent resources from the likes of ASD and the ACSC as well, but I'd like to see more support to help organisations become more secure from the outset," he said.
Mr Hunt said people need to shift their attitudes towards creating several unique high-strength passwords, instead of using one password frequently to help protect themselves from the threat of hackers.
"We're moving away from guidance like that [and] moving very much towards uniqueness of password, never using the same one anywhere over and over again," he said.
"Really the only way people can do that is with a password manager, whether that's a digital version ... or even a notebook where you write down unique passwords."
How did this cyber attack happen?
Latitude says the attack started from a major vendor the company uses, which the ABC understands was essentially a back-end infrastructure provider.
Latitude says the hackers then obtained the login details of a Latitude employee.
Those credentials were then used to steal identity documents from two of Latitude's service providers, the ASX-listed company said.
Latitude says it's "doing everything in its power to contain the incident and prevent the theft of further customer data", and is contacting those customers affected by the attack.
The Australian Cyber Security Centre is working with the company, and Latitude says it's cooperating while authorities investigate.
Latitude is just the latest high-profile company in Australia to be targeted by hackers.
In October, about 9.7 million current and former Medibank customers had their data accessed by criminals.
Optus data was also hacked.
Last month, the federal government announced plans to overhaul a $1.7 billion cyber security plan set up under Scott Morrison.
A national cyber office — led by a new coordinator for cyber security — will be established under the Home Affairs Department to lead the renewed strategy.
"This is not going away," Professor Buckland said.
"Hacks are happening all the time. Companies are still collecting data and not looking after it properly."
Latitude declined an interview with ABC News.
It only debuted on the ASX about two years ago. It entered a trading halt before announcing the cyber attack.
