The hack of Australian finance firm, Latitude Financial, is worse than initially thought.
In mid-March, the consumer finance provider estimated around 328,000 customers had their data stolen by hackers, now that number has ballooned to over 14 million, according to an investor statement.
Latitude Group confirmed on March 27 that 7.9 million Australian and New Zealand driver’s licence numbers were stolen, of which 3.2 million (around 40 percent) were provided in the last 10 years.
Another 6.1 million records dating back to 2005 were stolen including names, addresses, telephone numbers, and dates of birth—of which 5.7 million (around 94 percent) were provided before 2013.
The company revealed 53,000 passport numbers had also been lost in the data hack, and less than 100 had their monthly financial statements taken as well.
Latitude said it would reimburse customers that have to replace their stolen documentation.
“We recognise that today’s announcement will be a distressing development for many of our customers and we apologise unreservedly,” the company said in the update.
“We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation.”
The Australian Federal Police and Australian Cyber Security Centre are investigating the incident.
Latitude Will Wear the Consequences, Expert Says
On March 16, the Melbourne-based company—one of the biggest non-banking lenders in the country—called for a halt to trading while saying the incident had been isolated.Latitude said the hackers obtained employee login credentials and were able to steal personal information via two “service providers” or contractors.
The attack is the latest in a series of cyberattacks targeting major Australian firms, including Optus (the second-largest telecommunications provider), Medibank (the largest private insurer), Woolworth’s MyDeal, and the Australian Department of Defence.
Rob Nicholls, associate professor at the University of New South Wales, said the major challenge for Latitude going forward would be winning back the confidence of consumers.
Nicholls also said that the fact an “external service provider” was responsible for losing the data did not abrogate Latitude from its responsibilities. A service provider could be the data host or credit reference provider used by Latitude.
“The fact that Latitude has taken customer information—entrusted to Latitude’s use—without ensuring those service providers have adequate cybersecurity is entirely problematic,” he said.
Nicholls also said too many businesses were quick to say “sophisticated” actors were behind cyberattacks.
“Even when the cyberattack isn’t terribly sophisticated, they claim there are state actors behind it,” he said.
“When there are high-value targets, like financial services that keep the information, or businesses that might be persuaded to pay a ransom for their own data set. You don’t need a state actor involved.”