A mid-March data breach at Australian financial service provider Latitude was initially estimated as impacting a little over a quarter of a million of its customers, mostly leaking driver’s license information. That estimate turned out to be a little bit low. Latitude now says that 14 million records were exposed, and that passport numbers and the personal information of loan applicants was also included.
A string of major data breaches in Australia that began in late 2022 seemed to have subsided going into the new year, but may have just flared up again as both Latitude and real estate giant Meriton have recently disclosed incidents that involve very large amounts of records. The Latitude breach also caused smaller follow-on attacks at two of its contractors that also resulted in theft of some amount of personal information.
Major non-bank financial service provider loses 14 million records
Latitude is the largest of the general non-bank financial service providers in Australia, offering a mix of loans, credit cards and insurance products. As it is presently constituted the company launched in 2015, but prior to that it was a division of the Australian Guarantee Corporation that was later acquired by GE Capital.
This explains why some of the records in the data breach date back as far as 18 years, and has raised serious questions as to why Latitude has been holding some of this information for so long. The original breach notification came on March 16, at the time claiming that about 328,000 records had been stolen after an attacker obtained an employee’s credentials. The update to 14 million records came on March 28.
The financial service provider had also initially said that the majority of the records lost were driver’s license numbers. This still appears to be the most common type of record stolen, with the updated data breach information noting that 7.9 million numbers were stolen. These include customers in both Australia and New Zealand, and 3.2 million of these were provided within the past 10 years.
The new data breach notification also indicates that about 6.1 million of the stolen records contain full names, addresses, dates of birth and telephone numbers. This particular set of records dates back as far as 2005. 5.7 million of this set date back to before 2013, indicating that it came from sometime before the company reformed as Latitude.
The financial service provider has also disclosed that 53,000 passport numbers and monthly financial statements for “less than 100 customers” were lost in the attack. Latitude has offered to reimburse those that need to replace stolen documents due to the data breach, and the Australian Federal Police (AFP) has announced it is expanding its “Operation Guardian” program to cover the attack.
While the focus of the response is rightfully on customers, Sylvain Cortes (VP of Strategy at Hackuity) notes that the total damage for Latitude will be massive and cannot even yet be accurately predicted: “The largest-known data breach on an Australian financial institution is no small achievement for attackers. Whatever the cost of proactive security, it pales in comparison to the financial and brand damage Latitude Financial will now suffer for years. And that’s not even mentioning the millions of compromised customers who are paying the price alongside them.”
Data breach once again hits Australian personal identification information
The record count is now higher than that of the Optus data breach, which pushed many Australians to get new driver’s licenses after the numbers were exposed in connection with personal information. A total of about 2.1 million licenses were exposed in that incident, and government offices were swamped and experienced delays in late 2022 due to the demand for replacements (which Optus was made to pay for).
It remains unclear why Latitude retained so many old records, some of which appear to be from accounts that were closed prior to the company’s rebranding in 2015. Australia’s anti-money laundering laws require financial service providers to hold this sort of information for seven years, but the Australian Privacy Principles (APPs) also state that “reasonable steps” must be taken to anonymize or destroy personal information once it is no longer required for any purpose.
Australia’s privacy laws are undergoing rapid transformation that is driven in no small part by this chain of recent data breaches, stretching from the Optus and Medibank incidents to the financial service provider’s current problems. Penalties for losing sensitive personal information have been greatly increased, and the ongoing reform of the Privacy Act 1988 has been accelerated with a new series of proposals that is in an open comment period until the end of March. There is some hope that the full reform may be completed by the end of 2023.
There is not yet any indication that information stolen from the financial service provider has been put up for offer on the dark web. This development was a particularly hard blow for Medibank, which saw its market value drop by $2 billion after stolen records started appearing for sale on underground forums. It is still not clear if the run on major Australian companies is some sort of coordinated campaign, or just a coincidental string of opportunistic actors, but it has raised serious concerns about the country’s ability to defend itself from digital threats.
Dr. Darren Williams, CEO and Founder of BlackFog, notes that this is part of something of a broader sea change in which companies can no longer simply rely on insurance and backups to get them out of trouble: “On the back of the successful attack on Medibank and Optus late last year Australia has entered the mainstream as an attack target. We have seen continued focus globally on centralized data repositories specifically in sectors such as Healthcare, government and education. Latitude is the latest victim of this growing trend and highlights the need for data exfiltration monitoring and protection to stop such breaches moving forward. Like any attack, prevention is the best course of action with large fines imposed by most governments, as well as exposure to class action lawsuits. Limitations in cyber insurance policies and the number of exclusions mean businesses should be focused on protection rather than remediation to mitigate risk from attack. The only safe risk is zero.”
