Data of 328,000 Customers Stolen in Hack of Australian Financial Firm

By Daniel Y. Teng
Daniel Y. Teng
Daniel Y. Teng
Daniel Y. Teng is based in Sydney. He focuses on national affairs including federal politics, COVID-19 response, and Australia-China relations. Got a tip? Contact him at
March 15, 2023Updated: March 15, 2023

Over 328,000 customers of Latitude Financial have had their data stolen during a “sophisticated and malicious” cyber-attack.

On March 16, the Melbourne-based consumer finance provider—one of the biggest non-banking lenders in the country—called for a halt to trading and revealed the incident had been isolated.

The company said the hackers obtained employee login credentials and were able to steal personal information via two “service providers” or contractors.

“As of today, Latitude understands that approximately 103,000 identification documents, more than 97 percent of which are copies of drivers’ licences, were stolen from the first service provider.

“Approximately 225,000 customer records were also stolen from the second service provider,” the company revealed in an investor announcement (pdf).

“Latitude apologises to the impacted customers and is taking immediate steps to contact them.”

The company said it would continue to respond and do “everything in its power” to contain the incident.

Latitude is working with the Australian Cyber Security Centre and has alerted the relevant law enforcement agencies.

Cyberattacks on Large Organisations an Ongoing Trend

The attack on Latitude is the latest in a series of cyberattacks targeting Australia’s largest firms, including Optus (the second-largest telecommunications provider), Medibank (the largest private insurer), Woolworth’s MyDeal, and the Australian Department of Defence.

Rob Nicholls, associate professor at the University of New South Wales, said the major challenge for Latitude going forward would be winning back the confidence of consumers.

“We’ve seen Telstra and Vodafone take on a significant number of customers in the last quarter, primarily as a result of the breach of Optus,” he told The Epoch Times. “And that is a loss of trust. It becomes even more critical for a business that’s providing financial services.”

Nicholls also said that the fact an “external service provider” was responsible for losing the data did not abrogate Latitude from its responsibilities. A service provider could be the data host or credit reference provider used by Latitude.

“The fact that Latitude has taken customer information—entrusted to Latitude’s use—without ensuring those service providers have adequate cybersecurity is entirely problematic,” he said.

He pointed to the 2022 court case, ASIC v RI Advice Group Pty Ltd, that found financial service providers may be personally liable if a contractor has inadequate cybersecurity.

Nicholls also said too many businesses were quick to say “sophisticated” actors were behind cyberattacks.

“Even when the cyberattack isn’t terribly sophisticated, they claim there are state actors behind it,” he said.

“When there are high-value targets, like financial services that keep the information, or businesses that might be persuaded to pay a ransom for their own data set. You don’t need a state actor involved.”

To Counteract Cyberattacks, Labor Ups Regulation

The federal government has responded to the increasing cyberattacks on Australian public and private institutions by introducing an amendment to the Privacy Bill on Oct. 26.

The amendment will significantly increase penalties to organisations for serious or repeated privacy breaches, a move the Labor government hopes can compel businesses to do more on cybersecurity.

It will also strengthen the Notifiable Data Breaches scheme to ensure the Information Commissioner has knowledge of an incident and the data compromised.

“These amendments are targeted and measured,” Attorney General Richard Dreyfuss said. “They respond to the most pressing issues arising from the Optus data breach and other recent cyber incidents.”

Yet Nicholls has previously warned that these measures are simply increasing red tape for businesses, saying a part of the problem is the amount of data companies are required to obtain under law.

“The real problem with keeping it is that it creates what’s called in cyber-attacks, a honeypot. The value of the data in a breach is higher because it has more items which actually identify the people involved,” he previously told The Epoch Times.

He said companies were required to obtain identity documents under the Know Your Customer guidelines that, include birth certificates, driver’s licenses, or passport numbers.

Related Topics