The personal data of 14 million customers was stolen as part of a cyber attack on Latitude Financial earlier this month.
Latitude Financial, a major non-bank lender of consumer credit in Australia and New Zealand, revealed it had been targeted by a “sophisticated and malicious cyber-attack” in mid-March.
Initially, the company said that 103,000 identification documents and 225,000 customer records had been breached.
But in an update on Monday, the company confirmed that the personal data of 14 million customers had actually been stolen.
The company said that 7.9 million Australian and New Zealand drivers licence numbers have been stolen.
Of these, 3.2 million or 40 per cent were provided to Latitude in the last decade.
On top of this, 53,000 passport numbers were breached and under 100 customers had their monthly financial statements stolen.
Additionally, the hackers have obtained 6.1 million documents dating back to 2005. According to Latitude, 94 per cent of these documents were provided to the company pre-2013, and the information in them include personal information such as name, address, telephone and date of birth.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident,” Latitude Financial CEO Ahmed Fahour said.
“We apologise unreservedly. We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days.”
Federal Cyber Security Minister Clare O’Neil said the Latitude update is “deeply concerning” and that the National Coordination Mechanism, which brings together agencies across the Commonwealth, states and territories, has met more than five times already in relation to the breach.
“Latitude Financial is cooperating with the government in responding to this incident, and we expect the company to continue to swiftly provide the government with all information it needs,” O’Neil said.
With a total of 14 million customer records breached, the Latitude hack is now worse in terms of volume than the Optus and Medibank hacks last year.
The Optus hack saw the information of 9.8 million customers stolen, while 9.7 million people were caught up in the Medibank hack.
Latitude has offered to reimburse all customers who opt to replace their identification documents, and has engaged IDCARE.
“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID documents,” Fahour said.
“We are also committed to a full review of what has occurred. We urge all our customers to be vigilant and on the lookout for suspicious behaviour relating to their accounts. We will never contact consumers requesting their passwords.”
In the Monday update, Latitude confirmed that it does have cyber security insurance, and that all customers, past customers and applicants whose information has been compromised will be informed of this “outlining details of the information stolen” along with “plans for remediation”.
The breach of Latitude has been labelled a failure by cyber security experts.
According to the company, the cyber attackers gained employee login credentials through a successful attack on a third party, and then used these details to steal personal information from two other service providers.