Latitude Financial is the latest big company to announce a cyber attack that exposed customer data. This is what we know so far

Who?

Latitude Financial is an Australian company offering digital banking services including a range of loans, insurance and credit cards.

It was formed out of GE in 2015 and listed on the Australian stock exchange (ASX) in 2021.

Until late February it offered a buy now, pay later service called LatitudePay, closing it after a review determined it had been effective at attracting customers but was "an immaterial part of the business".

It still works with large retailers on "instalments products" that serve a similar purpose.

CreditLine is only available through Apple, while the Latitude Go Mastercard and Latitude Gem Visa offer long-term interest-free shopping at partners including Harvey Norman, JB HiFi and The Good Guys, while also acting as normal credit cards.

What happened?

In a March 16 statement to the ASX, Latitude announced it had "detected unusual activity on its systems over the last few days that appears to be a sophisticated and malicious cyber attack".

It said the attack appeared to have originated from "a major vendor used by Latitude", which the ABC understands was essentially a back-end infrastructure provider.

This resulted in the attacker obtaining Latitude employee login credentials before being stopped.

Those credentials were then used to steal personal information held by other service providers.

"As of today, Latitude understands that approximately 103,000 identification documents, more than 97 per cent of which are copies of drivers' licences, were stolen from the first service provider", the company said in its statement.

"Approximately 225,000 customer records were also stolen from the second service provider."

Some customer-facing and internal systems were removed in an attempt to stop more data from being taken.

The company said it was working with the Australian Cyber Security Centre, had alerted relevant law enforcement agencies and engaged cybersecurity specialists.

It also said it was contacting those customers affected by the attack.

Latitude has 2.8 million current customers. It could not tell ABC News whether the hack concerned only their data or potentially former customers too.

UNSW Associate Professor Rob Nicholls says it is one of the first major hacks on a financial services company in Australia, making it significant.

Latitude Group Holdings Ltd is in a trading halt until Monday.

How concerned should customers be? 

UNSW cybersecurity expert Richard Buckland told ABC News the breach was "very concerning" given the level of information people have to give over to get loans.

The big problem is the stolen copies of drivers' licences that Latitude emphasised in its statement. 

Professor Buckland said the company's statement was "a bit coy" about what precisely had been stolen.

He said it was unclear if the licence card ID numbers had been accessed, which would make the breach more concerning than simply the cards themselves being stolen.

With a copy of your licence, criminals can open lines of credit in your name and buy personal items, apply for credit cards or large personal loans and then disappear, leaving you with the bill and a trashed credit history.

Drivers' licences have been described as a "golden ticket" for criminals and are the most common identity documents used to commit fraud.

The Australian Bureau of Statistics' most recent report into personal fraud found that 159,600 Australians had experienced identity theft over the 2021-22 financial year, and 537,200 over the previous five years. 

After the massive Optus data breach in October last year, which affected more than 2 million customers, the states and territories moved to allow those affected to change their licence numbers.

Some jurisdictions waived replacement fees for those affected, while Optus offered reimbursements to others.

We do not yet know if similar support will be offered to those affected by this breach.

ABC/wires