Peter A Clarke

The Latitude Financial data breach has taken the familiar path marked out by previous organisations who have suffered a data breach and who had poor understanding of their obligations and were hopelessly unprepared for dealing with the possibility of a breach . Latitude’s slow and inept response has mirrored many of the failings of Optus and Medibank in their responses to data breaches. After the initial vague publicity about the data breach Latitude provided on 27 March 2023 an increased estimate of the numbers of customers whose personal information was impacted, of approximately 7.9 million individuals. The same day the Information Commissioner issued a statement which doesn’t say much beyond that it is making enquiries and working with other government agencies. This seems to be the new approach when a big data breach occurs, remind people that the Commissioner exists and is doing stuff. The question is what exactly is that stuff.

There is a real skill to drafting statements about data breaches.  In the United States where data breach notifications have been a feature of regulation for a significant number of years the advice to the market and consumers are crafted carefully.  They tend to be much more transparent than the obfuscation and vague wording with Australian statements.  Latitude’s statement is a mix of information and deflection. It is not very good.  The statement from the Financial CEO is just cringeworthy pap.  It says nothing of substance.  It provides:

From the outset of the cyber-attack on Latitude, we have sought to keep our customers, partners, employees and the broader community as up to date as we can.

This malicious attack on Latitude is under investigation by the Australian Federal Police and we continue to work with the Australian Cyber Security Centre and our expert cyber-security advisers.

To the best of our knowledge no suspicious activity has been observed in Latitude’s systems since Thursday 16 March 2023.

As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years.

In addition, approximately 53,000 passport numbers were stolen.

We have also identified less than 100 customers who had a monthly financial statement stolen.

We will reimburse our customers who choose to replace their stolen ID document.

A further approximately 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013.

These records include some but not all of the following personal information: name, address, telephone, date of birth.

Latitude maintains insurance policies to cover risks, including cyber-security risks, and we have notified our insurers in respect of this incident.

We recognise that today’s announcement will be a distressing development for many of our customers and we apologise unreservedly.

We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation.

Supporting our customers

Latitude is undertaking a comprehensive customer care program to support affected individuals. Some of the steps we are taking include:

Latitude’s dedicated contact centres are available for affected customers in Australia and New Zealand between 9am – 6pm AEDT/NZST, Monday – Friday.

Hardship support is available via our dedicated contact centres for customers who are in a uniquely vulnerable position as a result of this cyber-attack.

We have engaged IDCARE, a not-for profit organisation specialising in providing free, confidential cyber incident information and assistance. If you wish to speak with one of their expert Case Managers, please visit idcare.org or call (New Zealand) 0800 121 068, 11am – 6pm NZST, Monday – Friday (excluding public holidays) or (Australia) 1800 595 160 (use the referral code LAT23).

Mental Health and Wellbeing Support is available free of charge through our Support Line 0800 808 374 (New Zealand) or 1800 808 374 (Australia).

The help page on our website is also being kept up to date with the latest information.

Steps you can take to protect yourself

There are immediate precautions that you can take, which include:

• • Contacting one of Australia’s credit reporting agencies for a credit report so you can check if your identity has been used to obtain credit without your knowledge.
  • In New Zealand, checking your credit record to confirm if your identity has been used to obtain credit without your knowledge. For further information, please refer to:

https://govt.nz/browse/consumer-rights-and-complaints/debt-and-credit-records/check-your-own-credit-report

• • Requesting the credit reporting agencies to place a credit ban or suspension on your credit file via their website or by contacting them directly. Please be aware that you will not be able to apply for credit while the ban or suspension is in place.

Be Alert

We urge our customers to be vigilant with all online communications and transactions, including:

• • Staying alert for any phishing scams via phone, post or email
  • Ensuring communications received are legitimate
  • Not opening texts from unknown or suspicious numbers
  • Changing passwords regularly with ‘strong’ passwords, not re-using passwords and activating multi-factor authentications when available on any online accounts
  • Latitude will not contact customers asking for password or sensitive information

If you are a victim of cybercrime, you can report it at ReportCyber on the Australian Cyber Security Centre website.

If you wish to report a scam or a vulnerability, go to ScamWatch.

Latitude Financial CEO Ahmed Fahour said:

“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly.

“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred.

“We urge all our customers to be vigilant and on the look-out for suspicious behaviour relating to their accounts. We will never contact customers requesting their passwords.

“We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days.

“We thank customers and merchant partners for their support and patience. Customers can continue to make transactions on their Latitude credit card.”

Taking Latitude’s reporting at face value it faces serious questions as to why it held customer personal information dating back 18 years.  It held 5.7 million records collected from 2005 until 2013.  Some of the financial products Latitude provides may extend over a long period of time but many don’t.  It is not going out on too long a limb to suggest that a large percentage of those records related to files closed some time ago.  If that is the case Latitude is likely to be in breach of the Privacy Act 1988.  As with Optus and Medibank Latitude has incorporated boilerplate statements about steps to take, contacting IdCare and the now usual references to working with the Australian Federal Police and the Australian Cyber Security Centre, the Australian data security version of wrapping oneself in the Flag.  Both the AFP and the ACSC have roles to play however at the end of the day the responsibility for data security is Latitude’s as is the responsbility for rectification.  Without a data breach response plan an organisation flounders when the unthinkable becomes reality.  As Latitude is doing.  Badly.  It will soon have a fight on 3 fronts; dealing with the regulator, meeting a class action, ascertaining the full extent of the attack and fixing the problem to avoid a repetition and finally, working with its customers.  That is a difficult task at the best of times.  Engaging consultants on the run, getting media organised, working with IT and dealing with many outside inquiries and internal crises should be done within a pre agreed framework.    

The ABC has covered the story with Up to eight million Latitude Financial customers affected by data breach, Latitude Financial customers frustrated at lack of communication after millions of personal records stolen in cyber attack, Millions of customer records stolen in Latitude Financial data breach and What’s happening with the Latitude Financial cyber attack? Millions of customer details stolen in one of the largest-known data breaches in Australia. The Guardian, amongst others, reports on a looming class action with Latitude Financial faces possible class action after millions affected by data breach.