Latitude Financial customers are beginning to receive communications via email notifying them of of the extent of the data breach they suffered following a cyberattack that resulted in the theft of almost 8 million Australian and New Zealand driver's licence numbers, over 53,000 passport numbers, and fewer than 100 customer financial statements.
In addition, 6.1 million customer records were compromised. The company rejected a ransom demand from the criminals responsible for the attack, a decision that was supported by the Albanese government.
The ASX-listed company disclosed the number of affected customers in a statement on March 27, and noted that the data the attackers detailed in their ransom threat is consistent with their disclosure.
In an email sent to customers, Latitude CEO Bob Belan apologized for the incident and acknowledged the impact it has had on those affected. The email outlined the types of personal information compromised, which included the driver's licence number and personal details provided during credit applications. Latitude assured customers that they would be reimbursed for any costs incurred in replacing their licences.
According to the company's investigation, the attackers gained access to Latitude's network using compromised login credentials obtained from a third party. Latitude promptly alerted relevant authorities and law enforcement agencies, including the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), and engaged external cybersecurity specialists to work alongside their internal teams.
The Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) were informed of the incident on March 16, 2023, and have continued to receive updates on developments. The crime is currently under investigation by the AFP.