A vicious cycle that no one can seem to break free of once they are looped in, we have seen how ransomware shattered Medibank last year. Refusing to pay, it ended up having to lifelessly see the hackers releasing private customer medical records to the dark web. Unfortunately, history has repeated itself, this time upon Latitude Financial’s (ASX: LFS) recent cyber attack. After the personal data of its 14 million current and past customers were stolen in March, the financial services provider announced that the criminals have demanded ransom.

In the same vein as its predecessor, Latitude insists that it will not pay a ransom as there’s no guarantee that paying a ransom will result in the return or destruction of the information that was stolen, as advised by cybercrime experts in line with the Australian Government. Instead, paying a ransom will be detrimental to the customers and cause harm to the broader community by encouraging further criminal attacks.

A consumer lender which offers personal loans and credit to customers shopping at retailers such as JB Hi-Fi, The Good Guys and Harvey Norman, Latitude first disclosed it was hacked on 16 March 2023. The breach was thought to only include around 328,000 customer records. However, the number has grown to hit 14 million after the Company provided an update on 27 March 2023, stating that 7.9 million Australian and New Zealand drivers licence numbers were stolen together with further 6.1 million records dating back to 2005. 

The stolen data the attackers have detailed as part of the threat is consistent with the number of affected customers disclosed by Latitude in the announcement dated 27 March 2023, which includes drivers licences, passport numbers, and financial statements. The ransom threat is currently under investigation by the Australian Federal Police.

Latitude did not disclose how much the ransom demand is, or whether it has been actively communicating with the hackers. It claimed to have not detected any hacker activity on its systems since 16 March which was the first day that the data breach had been discovered.

Latitude CEO Bob Belan commented, “Our priority remains on contacting every customer whose personal information was compromised and to support them through this process.”

“In parallel, our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations. I apologise personally and sincerely for the distress that this cyber-attack has caused and I hope that in time we are able to earn back the confidence of our customers.”

As damage control, Latitude claimed that it is currently offering support to affected individuals through a fully operating comprehensive customer care and remediation program. However, several customers have expressed disappointment in the lack of communication from the Company. Many are furious and frustrated as they haven’t heard anything other than a very generic initial email, while others are comparing the situation to how Optus and Medibank have previously managed to set up better systems and procedures to help affected customers. 

Customers also questioned Latitude’s data retention procedures, expressing concerns upon discovering that their private information was being held by the company for several years when the Company confirmed that the stolen personal information is dated back to 2005. Latitude Financial itself was established in 2015, when GE Capital sold its business in Australia and New Zealand to a consortium led by Deutsche Bank, KKR and Varde Partners. Customer data acquired prior to the business sale was then transferred to the current Latitude. 

Meanwhile, the Australian Securities & Investments Commission (ASIC) requires companies to keep records for seven years.

In communication with affected customers, Latitude has hinted the source of the attack may have started from a major vendor used by the company, which would probably be a back-end infrastructure provider. The Company took immediate action in response to unusual activity on its systems but the attacker was able to steal a Latitude employee login credentials which was then used to steal customer records from two of Latitude’s service providers.

Latitude has not clarified what it means by service providers.

As a consumer lender, Latitude offers a variety of credit options including personal loans, car loans, credit cards, and insurance, therefore requiring many identification documents as a credit-checking procedure for new customers. Documents used in credit checks often contain unique identifiers that can open a customer up to identity theft.

One of the largest-known data breaches on an Australian financial institution, the future is still bleak for Latitude as they have chosen not to pay the ransom. Comparatively, Medibank ended up losing $2 billion from its market valuation at the height of the crisis last year. It still faces lawsuits and an investigation by the Office of the Australian Information Commissioner over its handling of the incident.

Cybersecurity expert at the University of New South Wales, Professor Richard Buckland observed that the similarities between the Latitude and Medibank cyber hacks reflect the cracks in security procedures that need to be urgently corrected in the Australian cyber security sphere, especially since even big businesses are not immune from data breaches. 

Professor Buckland told the ABC, “I think what we’re seeing here is there is a pattern that companies aren’t properly securing their businesses no matter what their external assurances are, and we’re still seeing the same mistakes happening even after big public disclosures of the consequences of getting it wrong.”