Latitude Financial is refusing to pay a ransom to the hackers behind a cyber attack impacting the personal data of 14 million customers.
Since mid-March, Latitude Financial, a major non-bank lender in Australia and New Zealand, has been dealing with the fallout of a data breach impacting driver licence numbers, passport numbers and droves of personal information.
The company's investigations initially suggested the personal information of approximately 330,000 customers and applicants had been stolen, however, Latitude later confirmed a colossal 14 million customers have been exposed to the data theft.
Now, amid growing concerns from Latitude's customer base, the company has announced it will not pay a ransom to the criminals behind the attack.
In an 11 April update to the Australian stock exchange, Latitude said it had received a ransom demand from those responsible for the landmark cyber attack, and that the attackers had detailed stolen data which was consistent with Latitude's disclosed number of affected customers.
"Latitude Financial (ASX: LFS) has received a ransom demand from the criminals behind the cyber attack on our company," said Latitude.
"The stolen data the attackers have detailed as part of their ransom threat is consistent with the number of affected customers disclosed by Latitude in our announcement dated 27 March 2023," it added.
The company revealed a strong, anti-payout stance on the ransom threat – one which it believes is in line with the position of the Australian government and with advice from cyber security experts.
"Latitude will not pay a ransom. This decision is consistent with the position of the Australian Government," said Latitude.
Latitude Financial CEO Bob Belan explained the reasoning behind the company's ransom refusal, echoing conventional cyber security advice that paying a ransom would not guarantee a positive outcome.
“Latitude will not pay a ransom to criminals. Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed," said Belan.
"It would only encourage further extortion attempts on Australian and New Zealand businesses in the future," he added.
The Latitude hack has been likened to the landmark Optus and Medibank data breaches of last year, both of which saw similar refusals against ransom demands from their respective hackers.
Having now confirmed 14 million customer records breached, Latitude's data breach is larger in volume than the attacks on both Optus and Medibank.
“I apologise personally and sincerely for the distress that this cyber attack has caused and I hope that in time we are able to earn back the confidence of our customers,” said Belan.
Rampant cyber crime prompts government action
Following the recent string of large-scale data breaches in Australia, including Optus, Medibank and Latitude, the federal government is set to conduct a series of cyber "war games" in preparation for future cyber attacks.
Cyber security minister Clare O'Neil announced participants in major industries such as banking, financial services and aviation will undertake exercises meant to test company responses to major cyber attacks.
“We’re conducting exercises where we play through what it would look like to have a major bank, for example, come down in a cyberattack,” said O'Neil.
The minister also showed support for Latitude's recent decision against paying out a criminal ransom demand.
"Paying cyber criminals only fuels the ransomware business model," she said.
"Latitude Financial’s decision that it will not pay a ransom to the cyber criminals who accessed the personal information of millions of customers is consistent with Australian government advice."
Meanwhile, Latitude said it is in the process of contacting customers and applicants whose information was compromised in its 14 million-wide data breach.
"This matter is under investigation by the Australian Federal Police and we continue to work with the Australian Cyber Security Centre and cyber security experts on our response," said Latitude.
"We encourage all our customers to remain vigilant and alert to potential scam attempts."