Coles credit card customers embroiled in Latitude hack

They cyber attack impacting personal lender Latitude Financial Services (Latitude) has impacted an undisclosed number of Coles Financial Services customers — a financial services provider in Australia owned by Coles Group, one of the largest retailers in the country. 

It offers a range of financial products and services to its customers, including credit cards, personal loans, car insurance, home insurance, and life insurance.

Latitude was a financial services provider to Coles Financial Services and recently informed Coles that historical Coles credit cardholder data has been affected by the recent cyber incident impacting their business.

While Coles Financial Services moved its white label credit cards agreement from Latitude to Citibank in March 2018, a number of customers who had a Coles credit card powered by Latitude have reportedly been impacted.

In a press release, Coles said Latitude has not yet advised Coles of the number of impacted customers or specific details of the breach.

“Latitude is currently contacting impacted customers,” a Coles spokesperson said.

“We understand that this cyber incident is concerning. We are disappointed that this cyber incident has taken place and apologise for the inconvenience and uncertainty created.”

Latitude confirmed last month that around 7.9 million Australian and New Zealand driving licence numbers had been stolen in its recent cyber attack.

In an announcement released on the ASX on 27 March, the non-bank lender stated 40 per cent — or 3.2 million — of those licence numbers were provided to Latitude in the last 10 years.

Latitude approximated that 53,000 passport numbers were also stolen and just under 100 customers had monthly financial statements stolen.

Around 6.1 million records dating back to 2005 were also stolen and around 94 per cent of those documents were provided before 2013. Those records included “some but not all” of the personal information: name, address, telephone, and date of birth.

Latitude has said it will reimburse customers who choose to replace their stolen ID documents.

Latitude operates through a network of retail partners, including Harvey Norman, JB Hi-Fi, and Bunnings Warehouse as well as through its own online and mobile platforms. The company was previously owned by GE Capital and was known as GE Money in Australia and New Zealand. In 2015, it was acquired by a consortium of investors led by Deutsche Bank and KKR and was subsequently rebranded as Latitude Financial Services.

In a market update last week, chief executive Bob Belan said that Latitude had received a ransom demand relating to its cyber attack, but revealed that the company would not be paying it (consistent with the position of the Australian government).

“Latitude will not pay a ransom to criminals,” Latitude Financial CEO Mr Belan said.

“Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.

“I apologise personally and sincerely for the distress that this cyber attack has caused and I hope that in time, we are able to earn back the confidence of our customers.” 

[Related: Criminals demand ransom payment from Latitude]