This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Latitude Financial

Summary

Latitude Financial, a major Australian and New Zealand financial services company, suffered a data breach in March 2023 that ultimately affected 14 million customers and loan applicants. Attackers used a stolen employee login to access two service providers holding Latitude customer data, exposing 7.9 million driver's licence numbers and 53,000 passport numbers. The breach represents the largest theft of identity documents in Australian history.

What Happened

In March 2023, an attacker obtained an employee's login credentials, likely through phishing. Using these stolen credentials, the threat actor breached two of Latitude's third-party service providers that held customer data on behalf of the company.

Initially, Latitude estimated that approximately 328,000 customer records were affected, primarily driver's licences. However, as the investigation progressed, the company discovered that the breach was far more extensive than originally thought. The final tally revealed that 14 million records had been stolen from both Australian and New Zealand operations.

The breach remained active for a period of time, with Latitude warning that the incident could widen as investigators worked to determine the full scope of the compromise.

Impact on Individuals

The stolen data included 7.9 million Australian and New Zealand driver's licence numbers and approximately 53,000 passport numbers—the largest theft of identity documents in Australian history. The breach also exposed customer names, dates of birth, residential addresses, telephone numbers, and email addresses.

The exposure of government-issued identity documents creates a high risk of identity theft and fraud. Criminals can use driver's licences and passports to:

  • Open bank accounts and credit accounts in victims' names
  • Apply for loans or government benefits
  • Create fake identity documents
  • Conduct fraudulent transactions

Affected individuals in New South Wales were offered free driver's licence replacements by the state government. Many victims had previously been affected by other major Australian data breaches, including Optus and Medibank, leading to significant frustration and concern about the cumulative impact of multiple breaches.

Organisational Response

Latitude Financial refused to pay the ransom demanded by the attackers, stating that doing so would not guarantee the return or destruction of the stolen data and was not in the best interests of customers.

The company worked with cyber security experts, law enforcement, and regulators to investigate the breach and notify affected individuals. Latitude faced significant criticism for the evolving nature of its disclosures as the scope of the breach continued to expand during the investigation.

A class action lawsuit was launched against Latitude Financial on behalf of affected customers, seeking compensation for the breach. The lawsuit remains active.

Verification Source: View original statement