Latitude Financial says data on 14 million customers — not 330,000 — was stolen by hackers

Latitude Financial, the Australian consumer credit business, says that it now believes data on 14 million customers was stolen in a cyberattack rather than the 330,000 it had initially estimated.

The company disclosed Monday that it had detected suspicious activity on its networks earlier this month, but its initial figure for the number of customers impacted by the hack was dramatically smaller than subsequent investigations have uncovered.

Latitude offers personal loans and finance for consumers shopping at a range of retail brands in Australia and New Zealand. Applications for this kind of financing normally require consumers to share a significant amount of personal data for fraud and credit-checking purposes.

The company appears to have held on to much of this data for a long time. The breach includes 7.9 million Australian and New Zealand driver license numbers, as well as 53,000 passport numbers provided by customers over the last 10 years.

Also included is a further 6.1 million records — including names, addresses, telephone numbers and dates of birth — dating back to at least 2005 from customers who had mostly shopped with the company before 2013.

“We recognise that today’s announcement will be a distressing development for many of our customers and we apologize unreservedly,” the company announced on Tuesday,

“We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation,” it added.

The breach at Latitude Financial follows another at Medibank, one of Australia’s largest health insurance businesses, which impacted 9.7 million customers, including the country’s prime minister.

That followed a data breach at Optus, the country’s second-largest telecommunications company, which involved the theft of basic personal information relating to 9.8 million Australians — including driver license and passport numbers from 2.8 million people. Australia’s population is about 25 million.

For those Australians impacted by Optus, Medibank and now Latitude, I know they’ve had a gutful and they don’t deserve this.

— Clare O'Neil MP (@ClareONeilMP) March 27, 2023

In a statement, Latitude Financial chief executive Ahmed Fahour said: “It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologize unreservedly.

"We are committed to working closely with impacted customers and applicants to minimize the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred,” said Fahour.

He urged customers to be vigilant for suspicious behavior and stressed the company would never contact customers to request their passwords.