Latitude Financial breach widens across ANZ

Anyone in Australia or New Zealand who has applied or received finance from Latitude Financial over the past seven years may have their identity documents compromised, according to an update on the major data breach revealed on March 16.

The “sophisticated, well-organised and malicious cyber-attack” on one of Australia’s largest non-bank lenders was initially thought to affect approximately 330,000 of its customers, however ongoing forensic review has revealed that the breach may extend further.

The breach effects current customers and also those who have applied for finance in both Australia and New Zealand. The company operates finance companies Genoapay and Gem Visa in New Zealand.

Latitude, which provides consumer finance services to retailers Harvey Norman, JB Hi-Fi, The Good Guys, Apple and David Jones, says it is contacting those who have been impacted and the Australian Cyber Security Centre and Australian Federal Police have been advised of the breach, which the AFP is now investigating.

The company says approximately 96% of the personal information stolen was copies of drivers’ licences or driver licence numbers.  Less than 4% was copies of passports or passport numbers and less than 1% was Medicare numbers.

The company says the breach extends to previous applicants and customers who may have closed their account as it “is required to retain account records for at least 7 years after an account is closed. This is to comply with Anti-Money Laundering and counter-terrorism financing laws.”

“While to the best of our knowledge no compromised data has left Latitude’s systems since Thursday March 16, regrettably our review has uncovered further evidence of large-scale information theft affecting customers (past and present) and applicants across Australia and New Zealand,” the company said in a statement to the Australian Stock Exchange.

“Our people are working urgently to identify the total number of customers and applicants affected and the type of personal information that has been stolen.”

The Australian Department of Foreign Affairs and Trade has advised that Latitude Financial customers concerned about the recent data breach do not need to replace their passports, although those who had their NSW driver licence details exposed in the breach may need to replace their card.

The Department of Internal Affairs (DIA) revealed more than 1300 New Zealanders have had their passport details stolen, although it also states there is no need for passports to be replaced.

The NSW Government has advised that there is no need for residents of that state to replace their drivers licence unless Latitude Financial has informed them that both licence number and the card number were compromised.

This is because in NSW, increased identity protections came into effect on 1 September 2022, to help guard against unauthorised use of a drivers licence for ID purposes.

Since that date, both numbers on your driver licence, the licence number and the card number, are required to pass a Document Verification Service (DVS) check.

When you replace your licence, your drivers licence number will remain the same but your card number will change. This will protect you from unauthorised DVS checks using the old card's information.  

Anyone who has renewed or replaced their NSW drivers licence card recently and has not provided those credentials to Latitude Financial since replacement may not need to have their card replaced again.

The breach was initially uncovered when Latitude noticed unusual activity on its systems that originated from “a major vendor” it uses. The vendor has not been identified, although the company stated it “uses service providers to deliver certain services, including to verify identity. “

“The attacker was able to obtain Latitude employee login credentials before the incident was isolated,” the company stated.

“The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers.”