Latitude Financial, an Australian non-bank lender, has revealed that a cyber attack on its systems earlier this month was more extensive than initially thought.
The company first announced the breach on March 16, stating that data for around 330,000 people had been compromised. However, in an update to the Australian Stock Exchange, Latitude now admits that up to 8 million people may have had their personal information stolen.
The hackers are believed to have accessed customers' names, addresses, dates of birth, telephone numbers, passport numbers, and in some cases, monthly financial statements. The company is still assessing the number of duplicate records and determining the true number of customers affected.
Impact on Customers
The full impact of the breach on customers is not yet clear, but it is expected to be significant. ABC News reported that One Latitude customer says a photograph used by the lender for identification purposes was stolen in the attack, leaving them feeling "violated."
Latitude has said it will reimburse customers for replacing any stolen ID documents. The Department of Foreign Affairs and Trade has also confirmed that passports impacted by the breach are still safe to use.
ABC News reports that an email sent to customers by Latitude Financial on March 22 showed the company informed some customers that additional personal information had been compromised.
The email read:
We have so far identified that the incident has resulted in the following kinds of your personal information being compromised.
We collected this information from you at the time you applied for credit or sought a quote from Latitude so we could verify your identity.
- Images of your driver licence which, where applicable, included your photograph, name, address, date of birth, licence number, card number and expiry date.
- The personal information you supplied during your application or quote request which, where applicable, included your full name, address, date of birth, your email and your phone number.
- A photograph of your face provided as part of Latitude's identity verification process.
Expert Criticism
Cybersecurity experts have criticized Latitude for keeping historical customer data on file dating back to 2005. Richard Buckland, a cybersecurity expert at the University of New South Wales, called it "pretty unbelievable" that such data was retained, even if it was legally required.
Buckland said that keeping such data for extended periods left customers vulnerable to impersonation and fraud. He also questioned the federal government's practice of retaining data to share with companies to reduce fraud risk, saying it was "misguided."
Latitude CEO Ahmed Fahour apologized "unreservedly" for the breach and pledged to work with affected customers to minimize the risk and disruption to them.
The Minister for Cyber Security, Clare O'Neil, said the extent of the breach was "deeply concerning," and that the government would work with Latitude to ensure customers affected by the attack are protected from immediate and future risks.