Latitude Financial Breach Exposes 14M Client

Latitude Financial, an Australian consumer lender that offers personal loans and credit to customers at major retailers such as JB Hi-Fi, The Good Guys, and Harvey Norman, announced on March 22, 2021, that it had suffered a significant data breach. The company initially reported that the breach only involved about 100,000 identification documents and 225,000 customer records. However, a recent statement reveals that the incident is far worse, with cybercriminals stealing 14 million customer records, including driver’s license and passport numbers, financial statements, and other sensitive information.

Latitude’s statement indicates that some of the stolen documents date back to at least 2005, and the breach includes 7.9 million Australian and New Zealand driver’s license numbers, 53,000 passport numbers, and 6.1 million additional customer records, of which 5.7 million were provided before 2013. The exposed data includes personal information such as names, addresses, phone numbers, and dates of birth.

Ahmed Fahour, Latitude’s Chief Executive, issued an apology for the breach, stating, “It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologize unreservedly.” Fahour further added that the company would work closely with impacted customers and applicants to minimize the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document.

The breach occurred after the cybercriminals obtained Latitude employee login credentials to access the documentation, emphasizing the need for companies to improve their security protocols and increase their efforts to train employees on identifying and preventing cybersecurity threats. Latitude’s breach raises concerns about data storage practices and the need for businesses to evaluate the necessity of retaining old customer records. The incident is the latest in a series of major cyber attacks on Australian companies, including Optus and Medibank.

Erdem Uzuner, a client director at accounting and audit firm Pitcher Partners Melbourne, recommends that businesses should consider whether they need to keep old records. “Cybersecurity is critical to protecting the data organizations have and use to conduct business, but they also need to make conscious decisions about whether they need all the information they hold,” Uzuner said. “If there is a concern that people will break into your house, you don’t keep highly valuable items that don’t need to be there.”

The breach’s financial and reputational impact on Latitude is yet to be seen, but the company’s shares were down more than 3% on Monday. Latitude is reaching out to affected customers and applicants to inform them of the details of the breach and remediation plans.

In conclusion, the Latitude Financial data breach is a clear indication of the need for businesses to strengthen their cybersecurity measures and protocols. Companies must be proactive in assessing their security risks and identifying potential vulnerabilities, particularly in the face of increasingly sophisticated cyber attacks. Additionally, businesses must consider the necessity of retaining old customer records and ensure that they have appropriate measures in place to protect sensitive information.