Australian loan giant Latitude Financial Services (Latitude) is warning customers that its data breach is much more significant than initially stated, taking the number of affected individuals from 328,000 to 14 million.
Australian loan giant Latitude Financial Services (Latitude) has released an updated data breach notification warning customers that the breach is much more significant than initially stated, taking the number of affected individuals from 328,000 to 14 million.
On March 16, 2023, the Australian personal loan and financial service provider disclosed a cyber-incident where a threat actor stole an employee’s login to breach two of the company’s service providers holding Latitude’s customer data.
At that time, the company estimated that the intruder accessed about 328k customer records, mostly driver’s licenses.
Latitude’s response included shutting down customer-facing systems to contain the attack while the investigations to reveal the full scope of the impact continued.
14 million people affected
Unfortunately, after further investigating the incident, Latitude has revealed that the impact of the incident is much more significant, now believed to have affected 14 million customers or loan applicants from Australia and New Zealand.
“As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver license numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years,” reads the new statement.
“A further approximately 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013.”
The 6.1 million customer records also include customers’ full names, addresses, telephone numbers, and dates of birth.
Additionally, Latitude has found that the attackers stole approximately 53,000 passport numbers.
Latitude says they will reimburse those wishing to replace their stolen ID documents and recommend customers monitor their credit reports for fraudulent activity.
Instructions on enrolling for the protection services are enclosed in the notifications sent to impacted individuals and on the public statement.
The Australian Federal Police (AFP), which assists Latitude in the ongoing investigations, has also announced that it is expanding “Operation Guardian” to help protect Latitude’s customers from cybercriminals attempting to exploit the leaked personal data.
The law enforcement service reminds the public that buying stolen information online is an offense punishable by up to 10 years of imprisonment.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly,” said Latitude CEO Ahmed Fahour.
“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred.”