Non-bank lender Latitude Financial (LFS) has slumped on the ASX after confirming further evidence of “large-scale” data theft following a cyber attack last week.
The company first flagged the “sophisticated and malicious” attack on Thursday, March 16, with multiple attackers obtaining employee log-in data to steal personal information held by other service providers.
Latitude on Wednesday said its forensic review to determine the full extent of the attack had uncovered further evidence of data theft affecting past and present customers.
“Our people are working urgently to identify the total number of customers and applicants affected and the type of personal information that was stolen,” the company said in a statement to investors.
Latitude confirmed that to the best of its knowledge, all compromised data came from prior to March 16.
Shareholders understandably reacted poorly to the news; LFS was down more than 6 per cent in afternoon trade on Wednesday.
“Our focus remains firmly on containing this attack, progressing our forensic review of the actions taken by the attacker and restoring operational capability gradually over the coming days,” the company said.
Latitude offered a sincere apology to its customers and acknowledged the frustrating nature of the situation.
Cyber attack origins
On March 16, the company announced it had “detected unusual activity on its system” that took place over the few days prior.
LFS said the culprit gained access to and used employee logins to steal personal information held by two other service providers.
The company confirmed as of March 16, around 103,000 identification documents, more than 97 per cent of which were copies of driver’s licences, were stolen from the first service provider. Around 225,000 customer records were stolen from the second service provider.
Making up 5 per cent of the stolen data was believed to be copies of passports and Medicare cards.
When uncovered, Latitude urgently looked into the matter and called on the Australian Cyber Security Centre and several cyber security specialists to investigate.
Other cyberattacks across the nation
Latitude Financial isn’t the first company to fall victim to cyberattacks in recent times.
In December last year, Australia’s second-largest telecommunications company, TPG Telecom (TPG), fell victim to a high-profile cyberattack, with hackers gaining unwarranted access to emails of up to 15,000 of its customers.
Also last year, Optus was hit with a cyberattack that compromised customer information, including names, dates of birth, phone numbers and email addresses.
Following an extensive review of the attack, the telco giant confirmed that between 2.5 million and 9.7 million current and former customers’ data was accessed by the hacker.
It was considered to be one of the biggest hacks in Australian history.
The rise in cyber attacks in 2022 sparked public outrage, with citizens calling on the government to take urgent action.
Government action
In February 2023, the Privacy Act Review Report was released, outlining 116 proposals to amend and make the Act more suitable to address the current challenges.
Further, Prime Minister Anthony Albanese announced the establishment of a Coordinator for Cyber Security to enhance the nation’s efforts in combating cyber threats.
The aim of the coordinator is to “ensure a centrally coordinated approach” to the government’s cyber security responsibilities.
It forms part of the nation’s 2023-2030 Cyber Security Strategy.
In March 2023, the Australian Government released its Notifiable Data Breaches Report for July to December 2022, which showed a significant rise in Australia’s major cyberattacks and privacy breaches during the period.
Figures were up 26 per cent compared to the previous six months.
As hackers continue to get smarter and smarter, governments, like Australia’s, are continuing in their efforts to mitigate and erase the potential impacts virtual attacks against defenceless customers across the globe.
LFS shares were down 6.2 per cent and trading at $1.13 at 2:45 pm AEDT.