Latitude Financial has been hit with a ransom demand from hackers who stole the details of millions of customers last month – but the company has insisted it will not be paying.
It said on Tuesday said it would not reward criminal behaviour and did not think coughing up the ransom money would see customers’ stolen information returned or destroyed.
About 7.9 million people had their driver’s licence details taken, and about 53,000 passport numbers were stolen in the hack, which was detected last month.
Latitude admitted an additional 6.1 million records dating back to at least 2005 were also poached, including names, addresses, telephone numbers and dates of birth.
Latitude Financial has revealed it has been hit with a ransom demand by hackers
Fewer than 100 customers had a monthly financial statement stolen, the consumer finance company told the ASX in March.
The attackers had, as part of their ransom threat, detailed stolen data consistent with Latitude’s disclosure about how many customers were affected, the company revealed.
‘Latitude will not pay a ransom to criminals,’ company chief executive Bob Belan said on Tuesday.
‘Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.
‘Our priority remains on contacting every customer whose personal information was compromised and to support them through this process.
‘In parallel, our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations.
‘I apologise personally and sincerely for the distress that this cyber-attack has caused and I hope that in time we are able to earn back the confidence of our customers.’
The hack is under investigation by the Australian Federal Police while Latitude Financial work with the Australian Cyber Security Centre and cyber security experts to find its cause.
The firm added in its update: ‘We are in the process of contacting all customers, past customers and applicants whose information was compromised, outlining details of the information stolen, the support we are providing and our plans for remediation.
The March 16 hack stole around 14million pieces of personal information, including 7.9million driver’s licence numbers, 53,000 passport numbers and 6.1million customer records (stock)
‘We will complete this process as quickly as we can. We encourage all our customers to remain vigilant and alert to potential scam attempts.
‘To the best of our knowledge, there has been no suspicious activity inside Latitude’s systems since Thursday 16 March 2023.’
Elliot Dellys, founder and CEO of Phronesis Security said Latitude’s position was consistent with government policy.
He explained: ‘Echoing the defiant stance taken by Medibank last year in the face of a similar threat, Latitude has declared they will not be paying the ransom, stating that there is ‘no guarantee that doing so would result in any customer data being destroyed’.
‘This is a position that is consistent with that of the Australian Government, with Home Affairs Minister Clare O’Neil urging Australian businesses in February to not give in to ransom demands, claiming that doing so makes Australia look like a ‘soft target’.
‘The Australian Government has also publicly stated that it is considering criminalising such payments, which have in part been driven by a surge in the uptake of cyber insurance policies.’
He also explained how paying the ransom could seen as ‘funding future attacks’.
Mr Dellys added: ‘For a broad cross-section of cyber security professionals, it is heartening to see organisations standing up to these criminal attacks – while prevention is always preferable to cure, it is common knowledge that ransom payments inevitably fund future attacks.
‘Historically, the trend has been for businesses to try to make the problem go away as quickly as possible, regardless of the long-term consequences.
Research by McGrathNicol last year found that 79 per cent of Australian businesses hit by a cyber-attack pay the ransom, with an average payment sum of $1.01 million.
‘This is a frustrating statistic for many in the industry, when many businesses remain hesitant to invest in cyber security due to a belief they would never be the target of an attack.
‘All clouds have a silver lining however, and after a disastrous 2022 for Australian data security, this recent trend of businesses standing up to the attackers – typically with significant public and Government support – may be one of them.
‘The more that businesses invest in proactive data retention and disposal practices and cyber security measures, the fewer CEOs will be forced to face the dilemma of whether or not to pay a criminal ransom demand.’
News of the ransom comes after it was revealed law firms Hayden Stephens and Associates and Gordon Legal announced a potential class action against the company, which provides consumer finance services for David Jones, JB Hi-Fi, Apple, The Good Guys and Harvey Norman.
The law firms will investigate the hack as part of a potential class action and is urging customers to sign up for updates.
Lawyer Hayden Stephens said it must be established how the breach occurred and what harm has been passed on to Latitude customers.
‘Very much part of our investigation is to get answers to those questions,’ Mr Stephens, director of Hayden Stephens and Associates, told Sunrise.
‘It is possible, even probable, that this breach could have been avoided.’
Mr Stephens previously told The Australian newspaper that the option for compensation was being explored.
While all customers are encouraged to register for updates from the investigation, customers will likely need to prove harm suffered as a result of the breach in order to join a potential class action lawsuit.