14 Million Customer Details Breached In Latitude Financial Firm

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 27, 2023 03:03 am PST

The personal information of 14 million Australians and New Zealanders was stolen as a result of a serious security breach. Systems at consumer lending company Latitude Group revealed on Monday that the information had been stolen from them after a theft discovered two weeks prior.

The information from 7.9 million driver’s licenses and the passport numbers of about 53,000 people were stolen. Latitude Financial acknowledged in a statement that an additional 6.1 million records—including names, addresses, phone numbers, and dates of birth—dating back at least to 2005 were also stolen in this month’s incident.

The consumer loan company reported to the ASX on Monday that less than 100 customers had their monthly financial statements stolen. The corporation expressed its unequivocal regret and acknowledged that many of its consumers will find today’s statement upsetting.

We’re sending letters describing our intentions for repair to all current and former customers, applicants, and others whose information was compromised. If consumers change their identification documents, the business claimed that Latitude financial will refund them.

Latitude Financial Customers In Australia And New Zealand Stolen

The personal information of 14 million Latitude Financial customers in Australia and New Zealand was stolen during a breach. A human foot inside a shoe washes up on a well-known New Zealand beach. Ahmed Fahour, the CEO, expressed his disappointment that so many additional clients and applicants had been impacted by the issue and promised a thorough investigation.

He advised clients to exercise greater caution when it came to cyber security. “We strongly advise all of our clients to exercise caution and to keep an eye out for any unusual activity involving their accounts. He said that customers would never receive a call from us asking for their credentials.

“We keep working nonstop to resume our operations securely. In preparation for our operational resumption in the upcoming days, we are repairing the platforms damaged by the attack and adding more security monitoring.

Latitude revealed on March 16 that it had discovered a “complex and malicious cyber-attack” on its systems a few days prior; however, at the time, it believed it involved only a small number of client records—perhaps a few hundred thousand—rather than a large number.

Data Breach Extremely Alarming

According to the federal minister for cyber security Clare O’Neil, the disclosure of the most recent data breach is extremely alarming. She stated, “The administration shares the annoyance and worry felt by many residents who believe that their data may now have been stolen on several occasions.

“Latitude Financial is working with the government to address this problem, and we anticipate the business to keep giving the government all the information it need as soon as possible.”

According to O’Neil, the government continues to believe that no customer should be responsible for the costs associated with a data breach, and the two parties cooperate to guarantee that the impacted customers are safe from current and potential hazards.

She claimed that the National Coordination Mechanism, whose members had already convened five times, had been established by the government in March to coordinate state and federal agencies in order to support Latitude and its clients.

Senator James Patterson, the spokesman for the opposition’s cyber security team, tweeted that the data breach was upsetting news for Latitude’s clients and that the Australian Federal Police were looking into it. He stated, “The government must immediately offer calm, realistic information about the ramifications of the attack and any measures clients should take to lessen the hazard.

The corporation is cooperating with the Australian Cyber Security Centre and independent consultants as the Australian Federal Police conducts an investigation. The incident is the most recent to affect millions of Australians; big companies like Optus and Medibank have reported recent significant cyber incidents.

Nigel Phair is employed by Monash University’s Department of Software Systems & Cybersecurity. He claimed that all online users must protect their personal information in the current environment, adding that Latitude’s clients should take extra precautions in the future. Users of Latitude were advised to keep a close eye on all of their accounts for any erroneous emails, texts, or transactions.

What Does Latitude Financial Suggest?

  • On Monday, the non-bank lender advised being cautious with all online conversations and transactions in a statement to the ASX.
  • If you believe that hackers have accessed your personal information, follow these instructions.
  • Watch out for phone, mail, and email phishing schemes.
  • Confirming the legitimacy of communications received.
  • Avoiding responding to texts from eerie or unfamiliar numbers.
  • Often changing passwords with “strong” passwords, refraining from reissuing passwords, and turning on multi-factor authentication for any online accounts that support it.
  • Latitude won’t get in touch with clients and request passwords or confidential information.


According to Latitude Financial, a cyber-attack that was previously reported this month led to the theft of over 14 million client records, including highly sensitive personal data. In a statement released today, the consumer lender with headquarters in Melbourne said that hackers stole 7.9 million driver’s license details from Australia and New Zealand, 40% of which had been provided to the business in the previous ten years. 94% of the 6.1 million more documents that were stolen, which dated back to 2005, were given before 2013. However, many of these will still be valid, including personal information like name, address, phone number, and birthdate.

A total of 53,000 passport numbers as well as the financial records of “fewer than 100 consumers,” were stolen. Latitude Financial first asserted that the intrusion had only led to the loss of about 100,000 identity documents and 225,000 customer details. Although it asserted that no suspicious activity had been seen since March 16, the company is probably going to suffer a lot of fallout from the incident. Consumers will undoubtedly be subjected to a barrage of convincing phishing assaults utilizing stolen data to gain bank information. Con artists may also purchase the data online to try to commit identity fraud. Ahmed Fahour, CEO of Latitude Financial, apologized to the clients who were negatively impacted by today’s revelation and called it “hugely upsetting.”

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Sally Vincent
Sally Vincent , Senior Threat Research Engineer
InfoSec Expert
April 4, 2023 7:12 pm

Latitude Financial, an Australian consumer credit business offering personal loans and finance, has just disclosed that personal data of roughly 14 million customers has been stolen in a cyberattack initially estimated to affect only 330,000 individuals. After disclosing earlier this week that it had noticed some unusual activity on its networks, the company has now admitted to the large number of customers affected. Data stolen in the attack includes driver’s license numbers, passport numbers, names, addresses, birthdays and phone numbers. 
This incident is the latest in a string of attacks in Australia, following that on Optus, one of the country’s largest telecommunications companies, which compromised the data of nearly 10 million Australians, and a similar attack on Medibank, which also impacted nearly 10 million Australian citizens, including the country’s prime minister. 
Unfortunately, financial institutions provide hackers with a significant incentive to steal and sell private information. These organizations continue to be extremely vulnerable to attacks as long as these hackers can continue to make money from their crimes, and financial institutions need to have a strong cybersecurity posture to be able to defend against these efforts to steal and extort data. This posture should include effective incident and response plans in addition to other preventative measures like password hygiene, threat detection, and real-time monitoring and visibility capabilities. In addition, diligent patching, creating backups, and giving priority to educational training are essential for prioritizing security and protecting priceless data.

Last edited 2 months ago by sally.vincent
Phillip Ivancic
Phillip Ivancic , APAC Head of Solutions Strategy
Industry Leader
March 29, 2023 10:50 am

A worrying trend for Australians
The Latitude Financial attack clearly shows that criminal groups are moving to a business model of selling Australian’s highly sensitive personal information, including biometric information, on the dark web.
What’s most disturbing about the Latitude Financial attack is that at least 100,000 facial images, matched with full drivers’ license details, were stollen. Australian’s can change passwords and monitor credit reports, however, they can’t change the biometric markers on their face!
Losing control of biometric information which is already matched with government issued identity documents like driver’s licenses, is particularly worrying in the age of “Artificial Intelligence” and “Deep Fakes” and could result in a steep increase in future fraud. Let’s face it, criminals are targeting this type of information with the hopes of further financial gain through theft and fraud against Australians.
Early evidence of missing or ineffective cybersecurity controls
So far, the company has made public statements that the information was accessed by “compromised credentials used by their third party vendors”. Although, investigations are still underway, this public statement does indicate that some really important cybersecurity controls were either missing or weren’t sufficiently and continuously tested for effectiveness.
Examples of standard cybersecurity controls that would have helped to prevent an attack like Latitude Financial where “third party credentials are compromised” include:

  1. Encryption coupled with strong key management of sensitive information like driver’s license and facial biometrics, meaning that third parties could not access sensitive data ‘in the clear’.
  2. Ensuring Multi-Factor Authentication is effectively in place and not just relying on username and passwords for third party access.
  3. Application Business Logic can be designed limiting a third party’s access to sensitive data in the first place as well as preventing mass-exfiltration of such data.

All of those standard cybersecurity controls above can be tested for in an automated and continuous manner using a Dynamic Application Security Testing Managed Service like White Hat Dynamic, combined with Threat Modelling techniques and expert-led Penetration Testing.
What should your company do to prevent a similar attack?
Before sharing any data with a third party, a Threat Model or Architecture Review should be conducted on the project to map out exactly how the data flows will work and the security controls that will need to be in place to prevent such attacks. There are many frameworks for identifying the range of security controls that need to be in place including Australian Government resources from the ASD (Australian Signals Directorate). Threat Modelling techniques will help identify the appropriate controls for each project and are especially important where data is shared between third parties.
Penetration Testing can ensure the chosen controls are effective and can withstand sophisticated attack techniques. Automated and continuous Dynamic Application Testing can ensure that important controls remain effective between manual, expert-led penetration testing.

Last edited 2 months ago by Phillip Ivancic
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
March 29, 2023 10:49 am

It is not unusual for companies to keep hold of large amounts of customer data but they need to store it more securely if they want to preserve customer confidence and limit the amount of access points. We are seeing far too many companies attacked and some do not understand the full impact of what has been taken until later into the investigation. Latitude provides financial services for some huge companies meaning the impact of this compromise leaves a bigger wake than usual. 
However sophisticated an attack may appear, executives need to secure sensitive customer data such as passports with the utmost protection. The risk to identity theft and follow on attacks will now be very likely to those affected so they will need ongoing extra protection.

Last edited 2 months ago by Jake Moore

Recent Posts

Would love your thoughts, please comment.x