Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Latitude Financial Admits 14M Customer Details BreachedNearly 8 Million Driver's Licenses Stolen, Says Australian Consumer Lender
A hacking incident at Australian non-bank lender Latitude Financial affected a far greater number of individuals than initially disclosed, the company said Monday.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In an update, the company says hackers stole approximately 7.9 million Australian and New Zealand driver's license numbers. When the company first disclosed in mid-March that it had detected "unusual activity" on its systems, it estimated that hackers stole approximately 100,000 identification documents and 225,000 customer records (see: Australian Non-Bank Lender Discloses Hacks of Customer Data).
The lender in 2022 reported having just over 2.8 million customers, total.
The ongoing investigation has revealed hackers also stole 53,000 passport numbers. Hackers also got ahold of the monthly financial statements of fewer than 100 customers.
The breach also affected an additional 6.1 million records, including names, addresses, phone numbers and birthdates in a database containing information dating back to at least 2005. It's not unusual for corporations to revise - typically upward but not always - the number of individuals affected by a breach as forensic analysts probe how far hackers were able to penetrate.
Latitude Financial says it hasn't detected additional suspicious activity since March 16.
Clare O'Neil, minister for cybersecurity, called the latest announcement "deeply concerning" to the Australian government.
"I have written to Latitude and made clear that my expectation, and that of the public, is that they will pay the full cost of recovery for replacement identity documents," O'Neil said. Latitude Financial has said it will reimburse customers who replace their stolen IDs.
The Australian Parliament in November approved government legislation increasing the maximum penalty for privacy breaches up to AU$50 million or 30% of adjusted revenue.
The incident is under investigation by the Australian Federal Police, and Latitude Financial is working with the Australian Cyber Security Center and other cybersecurity experts.
The Australian Broadcasting Corp. reports that some Australians are frustrated by what they say is a lack of communication from the company Some also question why Latitude Financial held onto data going back so far.
Bob Nicholls, an associate professor in regulation and governance at the University of New South Wales, told the broadcaster that "part of the problem is that it's cheaper to keep data than to cleanse it properly."
Still, "Why are we holding 14 million records when we only have 3 million customers?" Nicholls asked, rhetorically.