Latitude suffers major data breach. Underlines need for privacy reform in Australia
March 16, 2023 |
The timing of an announcement of a data breach at Latitude Financial couldn’t be more apposite. Submissions on the Government’s Report on reform to the Privacy Act, released in January, are due by 31 March 2023. The attack was effected through an employee login credentials from a major vendor used by Latitude. That is a depressingly familiar scenario. It also bespeaks inadequate controls. Approximately 103,000 identification documents, 97% of which were copies of drivers’ licences, and 225,000 customer records were compromised. The records were held by service providers. The breach has been reported in the Australian Financial Review, the NASDAQ, the Sydney Morning Herald among others (and it will grow in number).
Latitude has made a statement because it has been quoted in the media but it has not done what Optus and Medibank did with their data breaches and put out a statement on its website about what happened, what was done and what is being done. That is a rookie error.
The Australian’s Customer details stolen as Latitude suffers major cyber attack provides a good summary of what is known to date. The Information Commissioner has not made mention of any report or investigation. Given its recent decisions to investigate other major data breaches it is a reasonable expectation that Latitude Financial will be hosting officers from the Commissioner’s office in the near future.
The Australian article provides:
Latitude Financial says it was the target of a “sophisticated and malicious cyber-attack” which has resulted in 103,000 identification documents and 225,000 customer records being stolen.
The loans, credit cards and insurance company said the activity was believed to have originated from a major vendor used by Latitude.
It said although it took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated. “The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers,” it said.
“As of today, Latitude understands that approximately 103,000 identification documents, more than 97 per cent of which are copies of drivers’ licences, were stolen from the first service provider.
“Approximately 225,000 customer records were also stolen from the second service provider.”
Latitude said it was “continuing to respond to this attack and is doing everything in its power to contain the incident and prevent the theft of further customer data, including isolating and removing access to some customer-facing and internal systems”.
“We are working with the Australian Cyber Security Centre, have alerted relevant law enforcement agencies and engaged several cyber security specialists to assist with Latitude’s response,” it said.
“Latitude will cooperate with authorities to investigate this attack. Our priorities are to ensure the ongoing security of our customers, our employees and our partners while continuing to deliver services.”
It is the latest cyber attack to hit corporate Australia, with Medibank and Optus suffering major breaches last year.