A cyber attack on Latitude Financial which saw the personal data of up to 14 million customers stolen has cost the Australian company $76 million, according to its financial statements.
In March this year, major Australian and New Zealand non-bank lender Latitude Financial revealed it had been the victim of a major data breach, with up to 14 million of its customers having their personal information exposed.
The majority of this data consisted of driver licence numbers, with some passport numbers and Medicare numbers also stolen.
The company has now revealed that it suffered $76 million in pre-tax costs and provisions relating to this cyber incident, contributing to its overall loss of $98 million in the first six months of the year.
The company reported that this figure equates to an actual spend of $53 million on the cyber incident.
For six weeks following the cyber attack, Latitude paused new originations and pricing actions, saw a decline in receivables and had its collections activities “significantly disrupted”.
“While the first six months of 2023 have been amongst the most challenging in Latitude’s history, I am proud of the extraordinary resilience and response of my colleagues and pleased with the strength of the rebound we are now beginning to see,” Latitude managing director and CEO Bob Belan.
“We have and will continue to work diligently to continuously review and enhance the security of our systems and importantly, accelerate the delivery of our refreshed strategy focused on improving the experience for our customers and elevating the financial performance in our core Pay and Money divisions.”
In its half yearly results, Latitude hinted that it may be able to recoup some of its losses from the cyber attack through its insurance.
“Latitude continues to work cooperatively with regulators as they review Latitude’s information handling practices and with the company’s insurers on claims which may mitigate some or all of the $76 million pre-tax costs and provisions made for costs arising from the cyber incident,” the company said.
Despite the significant financial and reputational setback from the data breach, the company reported that as of the start of this financial year, its “volumes were back to pre-incident levels, plan pricing changes were implemented and incremental actions by [its] collections team led to a material decline in delinquency rates, which had spiked during the period that [the] system was offline”.
When it first revealed that it had been hit by a cyber attack in March, Latitude initially reported that approximately 330,000 customers and applicants had their information stolen.
But soon after, the company said that up to 14 million customers had been caught up in the breach and that the information accessed by the hackers included driver licences, and passport and Medicare numbers.
Latitude received a ransom demand from the hackers responsible for the attack but refused to pay it, in line with the federal government’s position.
The company offered to reimburse all customers who decided to replace their identification documents and engaged IDCare.
The breach of the company was labelled by cyber security experts as a failure, with Latitude revealing that the attackers gained employee login credentials through an attack on a third party, and then used these details to steal personal information from two other service providers.
The Latitude breach is one of several recent high-profile cyber attacks on major Australian companies.
Last year telecommunications firm Optus fell victim to a cyber attack, with the information of 9.8 million customers stolen.
Health insurance provider Medibank was also impacted by a cyber attack last year, with 9.7 million people affected.