IOTW: Latitude Financial data breach affects 14 million people

Australian financial services company, Latitude Financial, has suffered a large-scale data breach that exposed the personal information for more than 14 million customers.

The breach was initially discovered on March 16, but was originally thought to have affected a fraction of the customers actually impacted by the cyber attack.

How did the Latitude Financial data breach happen?

The data breach was initially reported by Latitude Financial on March 16, after unusual activity was detected on the company’s systems. The company said that the activity appeared to be a “sophisticated and malicious" attack originating from a vendor used by Latitude Financial.

During the cyber attack, the malicious actor was able to steal employee login credentials which they then used to steal personal customer information from two service providers.

Initial reports by Latitude Financial stated that the malicious actor had stolen the information of 328,000 customers, with the majority of these records being customer’s driver’s licenses.

In an update on the attack on March 20, Latitude Financial confirmed that copies of passports, passport numbers and Medicare numbers were all stolen in the breach. 

It was later discovered, however, that the data breach was more extensive than Latitude Financial believed it to be. On March 22, Latitude Financial reported that the network breach had led to a “large-scale information theft affecting customers (past and present) and applicants across Australia and New Zealand”. The company stressed that no further data had been stolen from its systems since March 16, but noted that the scale of the breach was far larger than previously believed. 

On March 27, Latitude Financial revealed that more than 14 million customers were affected in the breach.

The company posted in a statement about the breach that the data stolen included:

• 7.9 million Australian and New Zealand driver license numbers.
• Approximately 53,000 passport numbers.
• 100 monthly financial statements.
• 6.1 million records dating back to at least 2005.
• The records stolen also included customer names, dates of birth, addresses and telephone numbers.

Latitude Financial said that it would be directly contacting all those affected by the breach. It also said it would reimburse all customers who chose to replace ID documents that were stolen in the cyber attack.

The cyber attack was reported to and is being investigated by the Australian Federal Police (AFP), which has extended the taskforce originally formed to help victims of the Optus and Medibank data breaches to include those affected by the Latitude Financial cyber attack. The company also engaged help of Australian Cyber Security Centre and other relevant Government agencies as well as external cyber security experts.

Class action lawsuit launched against Latitude Financial

The financial services company may also face a class action lawsuit related to the breach. On March 27, two Australian law firms, Gordon Legal and Hayden Stephens and Associates, announced that they would be launching an investigation into potential legal action against Latitude Financial.

In a joint statement, the two law firms said that they would be investigating Latitude Financials' cyber security protections and protocols, including whether the company took appropriate steps to protect and secure its customers’ data in addition to the circumstances surrounding the breach itself.  

A full timeline of the attack

• March 16 – suspicious activity is detected on Latitude Financials' systems. Latitude Financial states that 328,000 records were stolen during the breach, including driver’s license numbers.
• March 20 – Latitude Financial confirms copies of passports or passport numbers and Medicare numbers were stolen in the breach.
• March 22 – Latitude Financial shares that the breach was far larger than originally reported.
• March 27 – It is revealed that 14 million people were affected by the breach.
• March 27 – Gordon Legal and Hayden Stephens and Associates announces that they will be investigating potential legal action relating to the data breach.