BLOG: Latitude Financial Hack – What Do We Know So Far?

Latitude Financial, an Australian non-bank lender that provides consumer loans and runs a “buy now, pay later” scheme, has revealed that hackers have stolen the personal information of more than 300,000 customers, including driver’s licences. The breach was discovered after the company detected unusual activity on its systems.

The stolen data includes 103,000 identity documents, with 97% being copies of driver’s licences from one provider, and 225,000 customer records from the second service provider. Latitude has shut down its BNPL offering in Australia and New Zealand but will continue to offer personal credit cards, travel credit cards, and short-term personal loans. Cybersecurity experts have raised concerns about the breach, given the level of information people have to give over to get loans. The company is cooperating with the Australian Cyber Security Centre and regulators to minimise damage from the incident.

According to Latitude, the cyber attack was initiated through a major vendor that the company uses, which was essentially a back-end infrastructure provider. The hackers then used the login details of a Latitude employee to steal identity documents from two of Latitude’s service providers. The company is working to contain the incident and prevent the theft of further customer data. Latitude is cooperating with authorities to investigate the matter. This attack is the latest in a series of high-profile hacks in Australia, including Medibank and Optus. The government has announced plans to overhaul the country’s $1.7 billion cyber security plan.

The cyber attack on Latitude Financial highlights the ongoing threat that cyberattacks pose to businesses and their customers. The incident serves as a reminder that cyber risk is not limited to any sector and also affects any organisation that handles sensitive customer data. it’s essential to have robust security measures in place to protect sensitive customer data, including implementing two-factor authentication and limiting employee access to customer data.

Companies need to thoroughly vet third-party vendors and ensure that they have adequate security measures in place and have a plan in place to respond quickly and effectively to a cyber attack, including notifying affected customers and cooperating with authorities.

One way that companies can mitigate the risk of cyber attacks is by using cyber risk ratings. These ratings provide an assessment of a company’s overall cyber risk based on its security posture, vulnerability to attack, and historical breach data. Cyber risk ratings can help companies identify vulnerabilities and take appropriate measures to mitigate risk before an attack occurs. By monitoring cyber risk ratings on an ongoing basis, companies can also stay up to date on the changing cyber threat landscape and adjust their security measures accordingly.

Cyber risk ratings can help companies take a proactive approach to managing cyber risk and ensure they are adequately prepared to protect their customers’ sensitive data. At Orpheus Cyber, we take a threat-led approach to cyber risk ratings. Our ratings indicate an organisation’s level of cyber risk, with a higher score indicating a greater risk of a successful attack. Our scoring system is based on a large amount of data, including threat intelligence, deep and dark web mentions, unpatched vulnerabilities, and evidence of weak email security processes. To explore our cyber risk ratings in more detail, please click here.