Data breach affecting 14 million customers dents Australia’s cyber security ambitions

Estimates that 7.9 million driver licence numbers and 53,000 passport numbers were stolen in the breach.

Up to 14 million customer records have been compromised in one of the biggest breaches in Australia’s history. The breach affects driver’s licenses, passports and financial statements of customers in Australia and New Zealand who have accounts with consumer lender Latitude Financial.

This will be an embarrassment to the Australian government, which is striving to make the country the most cyber secure in the world 2023.

The first breach was disclosed in mid-March, but the company played down the scale of impact. In a later analysis, it was found that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which 40% had been provided in the last 10 years. An additional 53,000 passport numbers and 100 monthly statements were stolen. And 6.1 million records dating back to 2005 were also lifted, of which about 94% were provided before 2013.

The hacked records included personal data including names, addresses, telephone numbers, and dates of birth.

“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred”, said Ahmed Fahour, CEO Latitude Financial. “We urge all our customers to be vigilant and on the look-out for suspicious behaviour relating to their accounts.”

More resilience work

In the company’s first announcement, it said it believed that the attacker used an employee’s login credentials to steal personal information that was held by two other service providers.

“Our people are working around the clock to contain the attackers. We have taken the prudent action of isolating some of our technology platforms which means that we are currently not onboarding new customers”, the company said on March 20. “Because the attack remains active, we have taken our platforms offline and are unable to service our customers and merchant partners.”

The company also says that, with the best of their knowledge, no compromised data has left its systems, and no suspicious activity has been observed since Thursday March 16 2023.

Clare O’Neil, Minister for Cyber Security, called the attack and loss of data “deeply concerning”, and said that “Australian companies, governments and organisations need to do more to prevent cyber-attacks”.

137 million affected

In the recent years, Australia has suffered some big cyber attacks. The biggest reported data breach was at the unicorn company Canva in May 2019, where 137 million users were affected. In that breach, the hackers got hold of:

  • user names;
  • real names;
  • email addresses;
  • country data;
  • encrypted passwords; and
  • partial payment data.

Before this breach on Latitude Finance, the second biggest attack was on Optus in September last year, where 9.8 million customers were affected.