Hundreds of thousands of Australians had their driver’s license data stolen after a major consumer finance company was the target of a “sophisticated and malicious cyberattack”.
Latitude Financial, a major non-bank consumer credit lender in Australia with 2.8 million customer accounts, revealed on Thursday that it had been hacked after a significant cyberattack this week.
So far, the company has determined that 103,000 identification documents, almost all copies of driver’s licenses, have been stolen, along with 225,000 customer details.
It is the latest major cyber-attack to befall a major Australian company, affecting hundreds of thousands of Australians, following the Optus and Medibank breaches last year.
According to Latitude Financial’s update on Thursday, the company has detected “unusual activity” on its systems “over the past few days,” coming from a major vendor used by the organization.
The company said it was taking “immediate action,” but this didn’t stop the cyber attacker from getting hold of Latitude employees’ credentials.
This data was then used to steal the personal information of two other Latitude service providers, the company said.
“Latitude apologizes to affected customers and is taking immediate steps to contact them,” the company said in an announcement to the ASX.
“Latitude continues to respond to this attack and is making every effort to contain the incident and prevent the theft of further customer data, including isolating and removing access to some customer-facing and internal systems.”
Latitude Financial also informed the Australian Cyber Security Centre, alerted relevant law enforcement agencies and engaged its own cybersecurity specialists.
A message on the Latitude Financial website states that the contact centers are “currently unavailable”.
Founded in 2015 after a consortium of investors acquired it from GE, Latitude Financial is based in Melbourne. The company offers consumer financing in the form of personal loans, credit cards, card loans, personal insurance and interest-free retail financing.
It is Australia’s largest non-bank consumer credit provider.
Latitude says it has 2.8 million customer accounts and more than 5,500 trading partners in Australia and New Zealand.
CEO and CEO Ahmed Fahour will leave Latitude Financial in two weeks, having resigned in August 2022. He was formerly the CEO of Australia Post. Current executive general manager of Latitude Financial’s Money division, Bob Belan, will take over as CEO effective April 1.
Another ASX-listed company, IPH Limited, also stopped trading earlier this week due to a cybersecurity breach. The intellectual property law group also notified the Australian Cyber Security Center and said the breach mainly concerns its document management systems and practice management systems.
Data that may have entered the breach may include business records, customer documents and correspondence, and IP case management information.
“Ongoing investigation is aimed at determining whether information stored in these systems has been accessed by unauthorized third parties,” the company said in a statement.
The company said in an update to the market that it detected “unauthorized access to part of its IT environment” earlier this week.
Unfortunately, Australians are becoming increasingly accustomed to their highly sensitive personal information getting caught up in data breaches.
At the end of last year, large telecommunications company Optus was founded affected by a cyber attackaffecting 9.8 million customers.
Shortly afterwards, the private health insurance company Medibank also joined suffered a data breach, with the attackers gaining access to all of its customers’ 9.7 million personal data. This was apparently the result of a “novice error”, with access to the systems “using a stolen username and password from Medibank used by a third-party IT service provider”.
After Medibank refused to pay a ransom, all personal data was eventually dumped on the dark web.
In the aftermath of these attacks, a government-appointed advisory group of experts is now considering major reforms to Australia’s “patchwork” of cyber policywith the federal government formulating a new cybersecurity strategy.