A month after the financial company closed its BNPL services in Australia

Financial announced on 16 March 2023 that it had detected unusual activity on its systems which it can now confirm as a sophisticated, well-organised and malicious cyber-attack which remains active.

The company recognised distress to customers caused by the theft of their personal information, and we are committed to transparently updating our customers, partners, employees, and the broader community.

Latitude immediately engaged leading external cyber security experts, the Australian Cyber Security Centre, the Australian Federal Police, and other relevant Government agencies.

The attack on Latitude is now the subject of an investigation by the Australian Federal Police. Latitude understands that approximately 103,000 identification documents, more than 97 per cent of which are copies of drivers’ licences, were stolen from the first service provider. Approximately 225,000 customer records were also stolen from the second service provider.

In a media statement, Latitude noted its people were working around the clock to contain the attackers. We have taken the prudent action of isolating some of our technology platforms which means that we are currently not onboarding new customers.

Because the attack remains active, it has taken platforms offline and are unable to service customers and merchant partners.

“We cannot restore this capability immediately; however, we are working to do so gradually over the coming days and ask our customers for their continued patience. Our restoration of these services is aligned to our forensic review.” stated Lattitude

In conjunction with our cyber-security experts, we are continuing our forensic review of our IT platforms to identify the full extent of the theft of customer information because of the attack on Latitude.

So far, Latitude can confirm that:

• As previously disclosed, approximately 330,000 customers and applicants have had their personal information stolen.
• Approximately 96 per cent of the personal information stolen was copies of drivers’ licences or driver licence numbers.
• Less than 4 per cent was copies of passports or passport numbers
• Less than 1 per cent was Medicare numbers.

As our review deepens to include non-customer originating platforms and historical customer information, we are likely to uncover more stolen information affecting both current and past Latitude customers and applicants. We will provide a further update when we have more information to share.

Latitude encourages our customers to remain vigilant. We will never contact customers requesting their passwords.

From today, Latitude will commence contacting customers and applicants who have so far been impacted by this criminal act, having already written to all our customers on Thursday 16 March 2023 to alert them to the cyber-attack.

Latitude will confirm to each impacted customer and applicant what personal information has been stolen, what we are doing to support them and what additional steps customers should consider taking to further protect their information. This includes Latitude working with relevant agencies to replace identification documents, where necessary, at no cost to our customers.

We have engaged IDCARE to help support those impacted. IDCARE is a not-for profit organisation and Australia and New Zealand’s national incident response service specialising in providing free, confidential cyber incident information and assistance. Impacted customers and applicants will be able to contact IDCARE during business hours on 1800 595 160.

As of today, Latitude has established dedicated contact centres for impacted customers in Australia and New Zealand to answer queries, as well as a dedicated help page on our website to keep customers and partners fully informed of developments.

Once the cyber-attack is contained, Latitude commits to a review of this incident. This review will help Latitude to most effectively safeguard our customers, partners, and platforms, while contributing to the continued fight against cyber-crime on Australian businesses.

Latitude is still assessing the anticipated total cost to it of this incident, including the cost to Latitude of the support we intend to provide our customers as described in this announcement.

Latitude maintains insurance policies to cover risks, including cyber security risks, and we have notified our insurers in respect of the incident.

Latitude Financial Services CEO Ahmed Fahour said the financial services company “sincerely apologised” to customers and partners for the distress and inconvenience this criminal act has caused. He fully understood the wider concern that this cyber-attack has created within the community.

“Our focus is on protecting the ongoing security of our customers, partners and employees’ personal and identity information, while also doing everything we can to support customers and applicants who have had information stolen,” he said.

“While we continue to deliver transactional services, some functionality has been affected resulting in disruption. We are working extremely hard to restore full services to our customers and merchant partners and thank them for their patience and support. We understand their frustration. Customers should refer to Latitude’s website for regular updates.”

Latitude strongly advised all Australian and New Zealand citizens to regularly change passwords of important financial accounts.

There are immediate precautions that you can take to protect your identity and personal information:

1. You can contact one of Australia’s three credit reporting bodies to obtain your credit report so you can confirm if your identity has been used to obtain credit without your knowledge.
   1. You can also request the credit reporting bodies to place a credit ban on your credit file via their website or by contacting them directly. If you intend to apply for a credit ban, please be aware that you will not be able to apply for credit while the ban is in place.
2. You can refer to Australian Government information on how you can protect yourself at cyber.gov.au or to Office of the Privacy Commissioner for information on how you can protect yourself at privacy.org.nz.
3. You should be alert for any phishing scams that may be sent via SMS, phone, email, or post.
4. You should always verify the sender of the communications you receive to ensure they are legitimate.
5. You should never click on links contained in SMS or email messages unless you know they are legitimate.
6. You should be careful when opening or responding to texts from unknown or suspicious numbers.
7. You should be careful when answering calls from private numbers or callers originating from unusual geographic locations.
8. You should regularly update your passwords and ensure you are using strong passwords. Also use multi-factor authentication where possible.

In February 2023 Latitude has made the decision to close its BNPL offering in Australia and New Zealand, effective immediately, after completing an extensive strategic review of the service.

BNPL has achieved its aim by attracting more than half a million customers to Latitude but is an immaterial part of the business, representing approximately 0.3 per cent of receivables.

Given this, and because of the uncertainty surrounding the future regulatory environment, Latitude believes now is the right time to exit the sector.

Latitude remains fully supportive of regulating BNPL as a credit product.

Latitude is in the process of contacting customers and merchants of LatitudePay in Australia and Genoapay in New Zealand to explain what this means for them.

Latitude is focused on supporting the more than two million customers and 5000 merchant partners that it serves through its main instalment’s products, Latitude GO, Latitude Gem and CreditLine.

Tags: AustraliaFinancialLatitude