Latitude Financial Gets Pwned…. And It’s REALLY Bad

Latitude Financial which operates in Australia and New Zealand first disclosed it was pwned by hackers in mid-March and said the breach was thought to only include about 100,000 identification documents and 225,000 customer records. Fast forward to the present day and breach is now impacting 14 million residents in New Zealand and Australia, according to a statement released by Latitude Financial yesterday:

As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years.

In addition, approximately 53,000 passport numbers were stolen.

We have also identified less than 100 customers who had a monthly financial statement stolen.

We will reimburse our customers who choose to replace their stolen ID document.

A further approximately 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013.

These records include some but not all of the following personal information: name, address, telephone, date of birth.

Latitude maintains insurance policies to cover risks, including cyber-security risks, and we have notified our insurers in respect of this incident.

Yikes! This is not trivial to say the least. Dr. Darren Williams, CEO and Founder, BlackFog had this to say about the latest revelations regarding this incident:

     “On the back of the successful attack on Medibank and Optus late last year Australia has entered the mainstream as an attack target. We have seen continued focus globally on centralized data repositories specifically in sectors such as Healthcare, government and education. Latitude is the latest victim of this growing trend and highlights the need for data exfiltration monitoring and protection to stop such breaches moving forward. Like any attack, prevention is the best course of action with large fines imposed by most governments, as well as exposure to class action lawsuits. Limitations in cyber insurance policies and the number of exclusions mean businesses should be focused on protection rather than remediation to mitigate risk from attack. The only safe risk is zero.”

Sylvain Cortes, VP of Strategy, Hackuity adds this comment:

     “The largest-known data breach on an Australian financial institution is no small achievement for attackers. Whatever the cost of proactive security, it pales in comparison to the financial and brand damage Latitude Financial will now suffer for years. And that’s not even mentioning the millions of compromised customers who are paying the price alongside them.”

I hate to say that this is likely going to be one of these situations where we get more info one drip at a time. And every drip is going to reveal that this hack was way worse than we know.

Leave a Reply

%d bloggers like this: