Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
business reporter Emilia Terzon

Latitude Financial warns customer data breach could widen and hack 'remains active'

Latitude Financial is thought to be one of the first examples in Australia of a major data breach on a financial services company. (ABC News: John Gunn)

The amount of customer data stolen from Australian company Latitude Financial may grow, with the non-bank lender confirming that drivers licences, passports and Medicare numbers have already been hacked.

The company went public about the cyber attack last Thursday.

It said then that about 330,000 customers were thought to have had their personal information stolen. 

Today it reiterated that the vast majority of data thought to have been stolen were copies of licences and their numbers.

However, it said about 5 per cent of what had been confirmed stolen was copies of passports and Medicare cards.

The company said on Monday the scope of what was thought to have been stolen might grow as it continued to review "non-customer originating platforms and historical customer information".

 "We are likely to uncover more stolen information affecting both current and past Latitude customers and applicants," it said.

"Latitude encourages our customers to remain vigilant. We will never contact customers requesting their passwords."

"The attack on Latitude is now the subject of an investigation by the Australian Federal Police."

It said also the situation "remains active".

UNSW Institute for Cybersecurity's Associate Professor Rob Nicholls said this was "even more concerning".

"It suggests that Latitude's service providers have not really addressed the problem," he told ABC News. 

"It also increases the likelihood of a hybrid attack that is both ransom and theft.

"If the intruders are still in the system, they have an opportunity to encrypt files."

The non-bank lender offers short-term loans, credit cards and travel cards, and buy now pay later services with major retailers, including Apple, Harvey Norman and JB Hi-Fi.

The company has faced anger and criticism from its estimated 2.8 million customers about the cyber attack.

Some have criticised the company for not telling them sooner what sort of data had actually been breached or if their information had been compromised.

The company's call centre is also offline, apparently due to ongoing security risks after the hack, which is only further upsetting customers.

Latitude says it will today start contacting customers who are thought to have had their data stolen.

It noted the breach affected past and present customers.

Today, Latitude's chief executive Ahmed Fahour apologised to them.

“I sincerely apologise to our customers and partners for the distress and inconvenience this criminal act has caused," he said in today's statement.

"I understand fully the wider concern that this cyber-attack has created within the community.

"While we continue to deliver transactional services, some functionality has been affected resulting in disruption.

"We are working extremely hard to restore full services to our customers and merchant partners and thank them for their patience and support. We understand their frustration."

Latitude has provided limited details about the data breach to its customers so far. (ABC News: Sean Warren)

The incident follows well-publicised breaches on telco Optus and private health insurer Medibank.

Latitude Financial did not reply to questions from ABC News about whether the hackers had asked for a ransom.

Medibank customers' data was posted to the dark web last year after the insurer refused to cough up money to a Russian-linked entity for its stolen data.

The federal government has previously backed the decision of companies not to pay ransoms, and it has also announced plans to overhaul a $1.7 billion cybersecurity plan set up under former prime minister Scott Morrison.

A national cyber office — led by a new coordinator for cybersecurity — will be established under the Home Affairs Department to lead the renewed strategy. 

Speaking on Friday, federal Treasurer Jim Chalmers confirmed Latitude was working with relevant federal authorities on the "substantial cyber breach", which is potentially subject to a criminal investigation.

"People are obviously concerned when we have these kinds of data breaches," he said.

"And there's a hunger for information, and I understand that."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.