Latitude Financial's data policies questioned after more than 14 million records stolen

Latitude Financial has revealed that its March cyber attack has now affected more than 14 million customer records, much more than the 330,000 records it initially estimated.

According to the latest results from the Australian finance firm's ongoing investigation, 7.9 million Australian and New Zealand driver's licence numbers were stolen during the attack. 40% of these, or 3.2 million records, were provided to the company in the last ten years.

It also identified 53,000 passport numbers that were stolen, as well as financial statements belonging to around 100 customers.

In addition, Latitude said that an extra 6.1 million records dating back to at least 2005 were taken. The vast majority of these records, 94% or 5.7 million of them, were provided to the company before 2013. These records contained personal information including names, addresses, dates of birth, and telephone numbers.

“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident,” said Ahmed Fahour, CEO at Latitude. “We apologise unreservedly.”

The company said that no suspicious activity has been observed on its systems since 16 March.

Latitude is writing to everyone whose information was compromised to notify them of what data has been stolen and its plans for remediation.

It’s also reimbursing customers who decide to replace their stolen ID documents.

“We continue to work around the clock to safely restore our operations,” said Fahour. “We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days.”

Questions exist about the nature of the data theft and the length of Latitude's data retention, given that millions of records date back further than ten years.

The most likely assumption is that the data was being stored on older or less-secure systems, said Michael Queenan, CEO and co-founder of Nephos Technologies.

“My fundamental question is why was Latitude holding data that old in the first place? If, as referenced, ID documents were stolen surely those would have needed to have been updated every ten years or so meaning that older versions should have been deleted,” said Queenan.

“Also, if people who are no longer Latitude customers have had their data breached then it puts into question why their records were not deleted after a certain period of time. I would be asking to see their data retention policy to ascertain why they were holding so much old data including highly personal information.”

Latitude's first disclosure came on 16 March, saying it had detected unusual activity on its systems before confirming on 20 March that it was the victim of a 'sophisticated cyber attack'. The company took its systems offline and was aiming to restore them gradually.

At the time, it confirmed that around 330,000 customers and applicants had their personal information stolen. 96% of the data was driving licences or numbers, with the rest being passport and Medicare numbers.

Latitude also said it was likely to discover more information belonging to customers that had been stolen in the attack, as it was conducting a forensic review into the attack.

Now, it's believed to be one of Australia's largest-ever data breaches during a time at which the country is being heavily targeted by cyber criminals.