Millions of ID documents stolen in Latitude attack

Latitude Financial Group Holdings Ltd (Latitude) has confirmed that around 7.9 million Australian and New Zealand driving licence numbers have been stolen in its recent cyber attack.

In an announcement released on the ASX on Monday (27 March), the non-bank lender stated 40 per cent - or 3.2 million - of those licence numbers were provided to Latitude in the last 10 years.

Latitude approximated that 53,000 passport numbers were also stolen and just under 100 customers had monthly financial statements stolen.

Additionally, the non-bank lender stated that around 6.1 million records dating back to 2005 were also stolen and around 94 per cent of those documents were provided before 2013.

Those records included “some but not all” of the personal information: name, address, telephone, and date of birth.

The non-bank has stated it intends to reimburse customers who choose to replace their stolen ID documents.

“Latitude maintains insurance policies to cover risks, including cyber-security risks, and we have notified our insurers in respect of this incident,” the company stated.

Latitude also confirmed that it has stopped onboarding new customers as the cyber attack remained active, while it informed its shareholders on 20 March that it engaged in leading external cyber security experts, the Australian Cyber Security Centre, the Australian Federal Police (AFP), and other relevant government agencies.

The non-bank lender believed the attack originated from a major vendor of the company and although Latitude took immediate action, the attacker was successful in obtaining Latitude employee login credentials before the incident was isolated.

Outgoing chief executive of Latitude, Ahmed Fahour, issued another apology in yesterday’s (27 March) update: “It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly.

“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred.”

Mr Fahour urged customers to be vigilant and to be on the lookout for suspicious behaviour in relation to their accounts.

“We will never contact customers requesting their passwords,” he emphasised.

“We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days.”

The cyber attack is still currently under investigation by the AFP, Australian Cyber Security Centre, and cyber security advisers.

Latitude stated that there has been no suspicious activity observed in its systems since 16 March to the best of its knowledge.

[RELATED: Latitude turns away new customers as cyber attack persists]