Australia’s First Major Financial Services Provider Breach: Latitude Financial Ransomware Update

Australian financial services provider, Latitude Financial, has announced that it has suffered a data breach – likely a ransomware attack. Hackers accessed the data of at least 333,000 applicants and current and former customers via at least one third-party provider.  

Data Taken in the Latitude Financial Breach  

The information published by Latitude Financial isn’t clear about what exactly has been exfiltrated. However, we know that the following identity documents have been taken:  

• At least 7.9 million driver’s licenses; 
• 53,000 passports; and 
• Some Medicare numbers. 

Latitude also mentioned that some ‘customer records’ were affected, including customer names, addresses, telephone numbers, dates of birth, and some financial records.  

Latitude’s Response Thus Far 

Latitude’s public response to the incident has, so far, been quite lacklustre. An early email communication noted their customer service centre was not available to ‘ensure no further security risks occur’.  

They have also shared multiple press releases via the ASX, which you can read here. 

Early reports also suggest that concerned customers have not received information about the types of data that have been taken. Some customers have publicly expressed frustration that they don’t know whether to cancel credit cards or take other steps to protect themselves.  

Blaming their Third-Party Vendors 

Latitude has expressed that it was not its system that was breached, but those of third-party vendors. However, this ‘blame another’ strategy is tone deaf – and it’s unlikely to help their reputation.  

Customers expect that companies will take care of their data, including after a company has passed it to a third-party. Realistically, Latitude runs the risk of sharing the message that they are careless with who they share data with. The message that their systems are intact is meaningless at this point in time.   

It’s also unlikely that the regulators will care.  It doesn’t matter whose system is breached. Using service providers does not absolve organisations from liability.  Organisations that share information with others remain responsible for the security of that data – even if there are contracts in place that suggest otherwise.

Key Takeaways from the Latitude Financial Breach

Securely store data when it’s no longer needed operationally 

The best privacy practice is to delete and destroy data once it’s no longer required. However, certain companies (like financial services and healthcare services providers) are required to keep certain types of sensitive and personal data for many years, even if it would otherwise no longer be required by the company.  

In these circumstances, companies should:

• Have strong processes in place to securely ‘retire’ the information.  
• Double-check that you really do need to retain all the identification documents you think you do. In this case – and in the Optus breach – it seems that companies are retaining records that are used to initially verify a person’s identity far beyond this initial purpose. Organisations should consider whether they can remove identity documents and other personal and sensitive information from customer files once this verification has occurred.
• Warehouse retired data in a separate and secure location, whether physical or digital. As few people as possible should have access to the data – and those who can access it should have multi-factor authentication in place.  
• Mask the data before storing it.  Would the last 3 digits of the passport number be sufficient if passport details need to be retained? 

Communicate How Affected Individuals Can Protect Themselves Early and Often 

Providing general information about how customers can protect themselves can ease a lot of the heartache and concern that comes following a data breach. Information is empowerment in these situations.  

Latitude could have shared information from the Australian Passport Office about the practical impact of passport information being stolen. Similarly, they could have shared details about how to monitor credit or apply to an identity protection vendor.  

Doing so would empower individuals to act, instead of leaving them to wonder (which almost always harms a brand’s reputation).  

Choose Third-Party Vendors with Robust Cybersecurity 

Third-party vendors are often selected by cybercriminals since they can offer access to multiple companies – not ‘just’ one. So, it’s incredibly important to choose third-party providers with robust security – and to require them to maintain that security for the duration of your contract with them.  

We’ve discussed this previously in our article covering questions you should ask your third-party providers.  

Further Resources

Our founder (Dr Jodie Siganto) was contacted by SBS to comment on the Latitude Breach. You can read the article she’s cited in here.

Data Breach Planning 

Your organisation should know whether it would pay a ransomware and how it would recover long before one happens. The risk of a cyber breach is the price you pay to play today. And planning for how you will respond to that breach is essential for the longevity of your organisation.  

Our data breach management services include:

• Developing an information security incident response capability;
• Preparing a data breach response plan;
• Testing and training staff in your incident response;
• Participating as legal advisers and/or privacy experts as part of your data breach/incident response team;
• Keeping you up-to-date with new or changing data breach notification obligations;
• Providing a legal opinion on your data breach notification obligations;
• Participating in or leading the post-incident review process.

Our team of lawyers and security experts can support you through any organisational data breach with a view to resolving it as quickly as possible, while ensuring that any damage or loss to both affected individuals and your organisation is minimised.

If you need assistance developing your data breach response, reach out.