The data breach suffered by Latitude Financial Services (Latitude) is much more serious than initially estimated. The company initially determined that the number of impacted individuals was 328,000, but now confirmed that the real number of affected individuals is 14 million.
The incident took place on March 16, the Australian firm revealed that the attackers stole an employee’s credentials and used them to breach two of the company’s service providers and access Latitude’s customer data.
In response to the incident, the company shut down customer-facing systems and launched an investigation to determine the extent of the intrusion. Latitude reported the security breach to the Australian Federal Police.
“Once the attack was discovered, we took immediate and decisive action, including isolating systems, taking them offline to protect personal information. Unfortunately, this action continues to cause disruption to our services. We are working around the clock to restore full service for our customers and partners.” reads the Cyber Incident Update published by the company. “We are well advanced in what has been a thorough, forensic investigation of our systems, supported by external cyber security specialists.”
The investigation revealed that the incident impacts 14 million individuals that are customers, past customers, and applicants across Australia and New Zealand.
“As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years.” reads a new update published on March 27, 2023.
“In addition, approximately 53,000 passport numbers were stolen. We have also identified less than 100 customers who had a monthly financial statement stolen.”
The company announced that it will reimburse those customers who choose to replace their stolen ID documents.
The statement also reported that approximately 6.1 million records dating back to at least 2005 were also compromised in the data breach. 94% of these records (5.7 million) were provided before 2013.
These 6.1 million records include some, but not all of the following personal information: name, address, telephone, and date of birth.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly.
“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred.” said Latitude Financial CEO Ahmed Fahour.
“We urge all our customers to be vigilant and on the look-out for suspicious behaviour relating to their accounts. We will never contact customers requesting their passwords.”
According to the Australian Federal Police (AFP), which is investigating the intrusion, there is no evidence to date that the personal details of the impacted customers are available, or being sold on online or dark web forums.
The AFP also added that its Operation Guardian will also help protect impacted customers from threat actors attempting to abuse the stolen data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)