The driver licence information of a hundred thousand Australians has been stolen after a major consumer finance company was targeted with a “sophisticated and malicious cyber-attack”.
Latitude Financial, a major non-bank lender of consumer credit in Australia boasting 2.8 million customer accounts, revealed on Thursday that it had been breached following a significant cyber attack this week.
So far, the company has identified that 103,000 identification documents, nearly all of which are copies of drivers’ licences, have been stolen, along with 225,000 customer records.
It’s the latest major cyber-attack to befall a significant Australian company and impact hundreds of thousands of Australians, following the Optus and Medibank breaches last year.
According to Latitude Financial’s update to the market on Thursday, the company detected “unusual activity” on its systems “over the last few days”, originating from a major vendor used by the organisation.
The company said it took “immediate action” but this didn’t prevent the cyber attacker from obtaining Latitude employee login details.
These details were then used to steal the personal information held by two other Latitude service providers, the company said.
“Latitude apologises to the impacted customers and is taking immediate steps to contact them,” the company said in an announcement to the ASX.
“Latitude is continuing to respond to this attack and is doing everything in its power to contain the incident and prevent the theft of further customer data, including isolating and removing access to some customer-facing and internal systems.”
Latitude Financial has also informed the Australian Cyber Security Centre, alerted the relevant law enforcement agencies and engaged its own cyber security specialists.
A notice on the Latitude Financial website states its contact centres are "currently unavailable".
Latitude Financial was established in 2015 after a consortium of investors acquired it from GE, and is based in Melbourne. The company offers consumer finance in the form of personal loans, credit cards, card loans, personal insurance and interest-free retail finance.
It is the biggest non-bank lender of consumer credit in Australia.
Latitude says that it has 2.8 million customer accounts and more than 5,500 merchant partners in Australia and New Zealand.
CEO and managing director Ahmed Fahour is due to depart Latitude Financial in two weeks, having resigned in August 2022. He was previously the CEO of Australia Post. Current Latitude Financial executive general manager of the Money division, Bob Belan, takes over as CEO from 1 April.
Another ASX-listed company, IPH Limited, also halted trading earlier this week due to a cyber security breach. The intellectual property law group has also notified the Australian Cyber Security Centre, and said that the breach primarily relates to its document management systems and practice management systems.
Data that may have been caught up in the breach could include business administration documents, client documents and correspondence and IP case management information.
“The investigation underway is focused on determining whether the information stored in these systems has been accessed by the unauthorised third party,” a company statement said.
The company said in an update to the market that it detected “unauthorised access to a portion of its IT environment” earlier this week.
Australians are unfortunately becoming increasingly used to having their highly sensitive personal information caught up in data breaches.
Late last year, major telecommunications firm Optus was struck by a cyber attack, with 9.8 million customers impacted.
Shortly after, private health insurance provider Medibank also suffered a data breach, with the attackers gaining access to all 9.7 million of its customers’ personal details. This was apparently the result of a “rookie mistake”, with the systems accessed “using a stolen Medibank username and password used by a third party IT service provider”.
After Medibank refused to pay a ransom, all of the personal data was eventually dumped on the dark web.
In the wake of these attacks, a government-appointed expert advisory group is now considering major reforms to Australia’s “patchwork” of cyber policies, with the federal government formulating a new cybersecurity strategy.