Cyber Incident Victim: Latitude Financial Services

Latitude Financial experienced a cyber-attack in March 2023, resulting in unauthorized access to and theft of personal information belonging to current and former customers, applicants (including those who did not complete applications), and individuals associated with legacy accounts from GE Money, which Latitude acquired in 2015. The breach impacted individuals across Australia and New Zealand, with stolen data limited to identity information collected during credit application processes or account openings, though the specific compromised details varied by individual. Latitude promptly isolated the incident by taking affected systems offline, prioritizing containment to prevent further data exfiltration, but this action caused a six-week disruption to normal services. Shortly after detection, the criminals issued a ransom demand, which Latitude publicly refused, citing concerns that payment would not guarantee data destruction or retrieval while potentially incentivizing further criminal activity against customers and regional businesses. The Australian Federal Police initiated an investigation into the incident, including efforts to identify the perpetrators. Latitude confirmed the scope of stolen data cited in the ransom threat aligned with its internal forensic assessment, which was used to determine notification requirements.

Latitude commenced direct outreach via email or postal mail to all affected individuals for whom contact details were available, prioritizing communications to those whose government-issued identification documents were compromised. These notifications specified the exact personal information stolen per recipient, outlined recommended protective actions, and detailed Latitude’s reimbursement program for costs associated with replacing compromised ID documents. The company collaborated with government agencies to expedite document reissuance and secure fee waivers where possible; for individuals incurring out-of-pocket replacement costs, Latitude established a dedicated claims process requiring submission of a reference number from their breach notification and bank details for direct reimbursement. Post-incident, Latitude restored all systems after conducting a comprehensive security review and implementing undisclosed enhancements but confirmed no evidence emerged suggesting stolen data had been disseminated on the dark web or actively exploited for fraud. Customer account obligations, including repayment schedules, remained unaffected. Latitude advised vigilance against potential phishing scams while emphasizing its communications would never solicit passwords, sensitive data, or payments, and directed individuals to national cybersecurity resources for additional protection guidance. The Australian Passport Office affirmed compromised passport copies remained valid for travel due to existing border security controls, though Latitude reiterated the need for credit report monitoring given the risk of copy-based identity fraud.