A breach at Australian financial services company Latitude that led to 100,000 copies of driver licenses being exposed to attackers was a “ridiculous” failure to mitigate the risk of data being handled by third-party service providers, according to cyber security experts.

Last week, Latitude publicised details about the incident which it said was the result of a “sophisticated” cyber attack originating with the compromise of a “major vendor used by Latitude”.

The attack on that third party saw the attacker gain employee login credentials which were then used “to steal personal information that was held by two other service providers”.

Chair of the Australian Computer Society (ACS) Cyber Security Committee Louay Ghashash described the company’s inability to secure four separate access points as “ridiculous”.

“If you uncouple the very generic statement, it’s clear this is not a sophisticated attack – it’s a simple control fail,” he told Information Age.

“Either this attack was so sophisticated that they compromised the multi-factor authentication (MFA) of different service providers and Latitude itself, or there was a simpler explanation.”

Latitude sent out an email notification about the breach to its customers on Friday night, a full day after it told shareholders.

In that email, the company apologised for the incident, offering customers the assurance that it will contact them if they were directly impacted by the breach.

Ghashash is scathing of what he calls “mediocre” statements companies tend to publish in the wake of data breaches and would prefer to see organisations own up to their own mistakes.

“Admit you didn’t enable MFA on a VPN, or that you used a simple username and password – I want to see them acknowledge their failures,” he said, suggesting it would improve Australia’s overall corporate responsibility around cyber security.

“How many people have their data on the dark web now, either through Medibank or Optus or Latitude, or all of the above?”

Be careful with vendors

But if the country is to get better with how data is managed, there needs to be a vast improvement on access controls to third-party service providers, Ghashash continued.

“People are blindly trusting their vendors, giving them privileged access without the right monitoring and controls,” he told Information Age.

“When you engage a service and you handle sensitive data, you have responsibility to verify that the provider has equal or better security than yours.”

Ghashash levelled similar criticisms at health insurer Medibank after it revealed the records of 9.7 million customers were accessed through credentials stolen from a service provider.

Elliot Dellys, CEO of Australian firm Phronesis Security, agreed that it’s important for organisations to hold their service providers up to higher standards.

“This attack is another reminder that there must be transparency among commercial partners for cyber security to work effectively,” he said.

“If businesses don’t understand the security provisions of the third parties that hold their data, then they will struggle to be able to prevent and manage these types of attacks in the future.”

The latest figures from the Office of the Australian Information Commissioner (OAIC) had a 26 per cent uptick in the number of notifications from July to December 2022, during which period both the Medibank and Optus attacks happened.

Around 70 per cent of those incidents were the result of malicious or criminal attacks, with ransomware continuing to play a role even if there are reports that ransomware payments fell significantly in 2022.

Rik Ferguson, VP of Security Intelligence for Forescout Technologies, said there has been a “definite move away” from ransomware and toward data extraction which is often used to extort companies.

“The end goal for many cybercriminals now is to steal data to sell on the black market,” he said.

“Moving forward, without neglecting other cyber security practises, organisations need to focus on making their data impossible to leak by ensuring it is encrypted at all times and furthermore make their data very difficult to exfiltrate.”