A leading Australian personal loans provider, Latitude Financial Services, confirmed a data breach that impacted two service providers.
Latitude told the Australian Stock Exchange (ASX) it “detected unusual activity on its systems over the last few days that appears to be a sophisticated and malicious cyber attack.”
Listed on the Australian stock exchange, Latitude offers unsecured personal loans, credit cards, personal insurance, and car loans. It also offers buy now, pay later (BNPL) services to major third-party retailers like The Good Guys, Harvey Norman, JB HiFi, and David Jones through its LatitudePay service.
Latitude data breach compromised two service providers
The subsidiary of Deutsche Bank said it determined that a sophisticated and malicious cyber actor breached the backend infrastructure of a major vendor, obtaining Latitude employee login credentials. The malicious actor used the compromised login credentials to steal personal information that was held by two of Latitude’s service providers.
Latitude withheld the identity of the two breached service providers. The company uses external service providers to complete tasks such as identity verification.
Latitude anticipates that the data breach cumulatively impacted “approximately 330,000 customers” from both service providers.
“As of today, Latitude understands that approximately 103,000 identification documents, more than 97% of which are copies of drivers’ licenses, were stolen from the first service provider,” the financial services company said.
Additionally, approximately 225,000 customer records were stolen from the second service provider.
Latitude also explained that approximately 4% of stolen documents stolen from the service providers were copies of passport or passport numbers, while less than 1% were Medicare numbers.
However, the stolen data was “not the same for every impacted individual,” according to its statement. The company promised to contact each data breach victim and “alert them to what’s been stolen.” Both current and former customers, including those who did not complete an application, were also likely impacted.
The company promised to help the victims replace identity documents at no cost, although the Department of Foreign Affairs and Trade has confirmed that the move was unnecessary.
The personal loans provider is working with the Australian Cyber Security Center (ACSC) and has reported the data breach to relevant authorities. The data breach is also currently under investigation by the Australian Federal Police.
Latitude also engaged external cyber security specialists and isolated and removed access to some internal and customer-facing systems to prevent further exploitation of customer data.
The company said the incident “remains active,” and some systems were still inaccessible, preventing it from serving partners and merchants.
Latitude advises customers to monitor their accounts
Financial services companies store critical information that could allow threat actors to commit identity theft.
“We urge customers to remain vigilant, as their stolen data can be potentially used for phishing or social engineering attacks,” explained Sean Duca, Vice President and Regional Chief Security Officer, Asia Pacific & Japan at Palo Alto Networks. “It is recommended to keep an eye on your social media accounts for any suspicious activity. Read your card and monitor your bank account statements closely for any unusual transactions.”
Latitude advised its customers to monitor their accounts and dispute suspicious transactions for appropriate action. Additionally, they should request their credit reports and place a freeze if necessary to protect their identity from creating loan accounts. The financial services company also advised customers against clicking on suspicious links received via email or SMS.
“Visibility into supply chain cyber security risk remains an ongoing problem in Australia,” said Sumit Bansal – Vice President of Asia-Pacific and Japan at BlueVoyant. “This latest breach with Latitude Financial is a reminder for companies to look at their vendors, suppliers, and other third parties. Last month, The Good Guys was also was hit by a supply chain breach, and it’s a reminder that these companies are not the only ones to be negatively impacted by a breach related to a third party and most likely will not be the last.”
Cyber attacks are increasing in Australia
ACSC recorded 76,000 cyber attacks in the financial year 2021-22, up from 67,500 in 2020-21, representing a 13% annual increase.
Australia’s most notable cyber attacks include the September 2022 Optus data breach that impacted 9.8 million customers.
Other Australian cyber attacks in 2022 include Medibank (700,000), Woolworths’ MyDeal (2.2 million), EnergyAustralia (323), Vinamofo (500,000), and Medlab (223,000) data breaches.