Over 328,000 customers of Latitude Financial have had their data stolen during a “sophisticated and malicious” cyber-attack.
On March 16, the Melbourne-based consumer finance provider—one of the biggest non-banking lenders in the country—called for a halt to trading and revealed the incident had been isolated.
The company said the hackers obtained employee login credentials and were able to steal personal information via two “service providers” or contractors.
“As of today, Latitude understands that approximately 103,000 identification documents, more than 97 percent of which are copies of drivers’ licences, were stolen from the first service provider.
“Latitude apologises to the impacted customers and is taking immediate steps to contact them.”
The company said it would continue to respond and do “everything in its power” to contain the incident.
Cyberattacks on Large Organisations an Ongoing Trend
The attack on Latitude is the latest in a series of cyberattacks targeting Australia’s largest firms, including Optus (the second-largest telecommunications provider), Medibank (the largest private insurer), Woolworth’s MyDeal, and the Australian Department of Defence.Rob Nicholls, associate professor at the University of New South Wales, said the major challenge for Latitude going forward would be winning back the confidence of consumers.
“We’ve seen Telstra and Vodafone take on a significant number of customers in the last quarter, primarily as a result of the breach of Optus,” he told The Epoch Times. “And that is a loss of trust. It becomes even more critical for a business that’s providing financial services.”
Nicholls also said that the fact an “external service provider” was responsible for losing the data did not abrogate Latitude from its responsibilities. A service provider could be the data host or credit reference provider used by Latitude.
“The fact that Latitude has taken customer information—entrusted to Latitude’s use—without ensuring those service providers have adequate cybersecurity is entirely problematic,” he said.
Nicholls also said too many businesses were quick to say “sophisticated” actors were behind cyberattacks.
“Even when the cyberattack isn’t terribly sophisticated, they claim there are state actors behind it,” he said.
To Counteract Cyberattacks, Labor Ups Regulation
The federal government has responded to the increasing cyberattacks on Australian public and private institutions by introducing an amendment to the Privacy Bill on Oct. 26.The amendment will significantly increase penalties to organisations for serious or repeated privacy breaches, a move the Labor government hopes can compel businesses to do more on cybersecurity.
It will also strengthen the Notifiable Data Breaches scheme to ensure the Information Commissioner has knowledge of an incident and the data compromised.
“These amendments are targeted and measured,” Attorney General Richard Dreyfuss said. “They respond to the most pressing issues arising from the Optus data breach and other recent cyber incidents.”
Yet Nicholls has previously warned that these measures are simply increasing red tape for businesses, saying a part of the problem is the amount of data companies are required to obtain under law.
He said companies were required to obtain identity documents under the Know Your Customer guidelines that, include birth certificates, driver’s licenses, or passport numbers.