Australian financial services company Latitude Holdings has had personal information of 7.9 million customers stolen in a cyberattack. An investigation is underway involving the Australian Federal Police and its Cyber Security Centre. The news comes on the same day as the nation’s biggest casino operator, Crown Resorts, also announced it was investigating a breach after being contacted by a ransomware gang.
Latitude announced the extent of the breach this morning via an update to the Australian Securities Exchange. The company is more than 100 years old and reported revenue of AUS$790m last year.
It is not known who is behind the attack, or whether a ransom demand has been issued.
Latitude Group cyberattack worse than first thought
The breach was initially announced on March 16, when Latitude claimed that the company had lost 300,000 records, in what it called “a sophisticated and malicious cyberattack.” According to today’s release, the extent of the damage suffered is much worse.
“As our forensic review continues to progress we have identified that approximately 7.9 million Australian and New Zealand drivers license numbers were stolen, of which approximately 3.2 million were provided to us in the last 10 years,” states the announcement.
In addition, around 53,000 passport numbers were stolen, as well as up to 100 financial statements.
Records including names, addresses, telephone numbers and dates of birth of around 6.1 million customers were also lost to the hack. The company is in the process of writing to those who have been affected.
In order to support customers who have lost their details, Latitude is offering a “comprehensive customer care programme,” which includes contact numbers for concerned customers, hardship support for “customers who are in a uniquely vulnerable position as a result of the cyberattack” and access to a company called IDCARE, to provide support to victims who are in danger of identity fraud.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this accident,” said Ahmed Fahour, Latitude Financial CEO. “We apologise unreservedly”.
Crown Resorts hit by ransomware attack
Also today it was announced that Australia’s largest casino operator, Crown Resorts, has been contacted by a ransomware gang which claims to have stolen some of the company’s data.
The information was allegedly obtained following a data breach at a file transfer service GoAnywhere. “We were recently contacted by a ransomware group who claimed they have illegally obtained a limited number of Crown files,” a spokesperson for Crown Resorts said.
“We can confirm no customer data has been compromised and our business operations have not been impacted.”
Security researchers have noted suspicious activity around GoAnywhere over the last couple of months, and a compromise of the service is said to have led to the breach of another Australian company, mining giant Rio Tinto, earlier this month.
Indeed, Australian companies have suffered several high-profile and damaging cyberattacks in recent months. The country’s government is launching a new agency which it hopes will help businesses deal with the growing threat they face.
In the announcement of the new department, Prime Minister Anthony Albanese admitted that the country’s cyber resilience needs improvement. “As a nation, it is simply not at the level it needs to be,” Albanese said. “This is a really fast-moving, rapidly evolving threat and for two years Australia has been behind pace,” he said.
Negotiations with the criminals responsible then fell apart, leading to the leaking of medical data to be sold on the dark web, according to an update released by the company.
One month earlier in September, Australian mobile network Optus experienced a cyberattack which led to the loss of 2.8 million records containing personal data.
Albanese described this attack as a “wake-up call” for businesses at the time.
Australia’s cybersecurity minister Clare O’Neil said: “Cyber attacks are a growing threat and will become a more routine part of our lives for years to come, and this incident is another reminder of the importance of improving Australia’s cyber security and privacy settings.
“We urge all customers to be vigilant and on the lookout for suspicious behaviour relating to their accounts, we will never contact customers requesting their passwords,” he said in the announcement.