Latitude Financial Services (Latitude) disclosed a data breach after suffering a cyberattack, forcing the company to shut down internal and customer-facing systems.

Latitude is one of Australia’s largest personal loan providers and the country’s largest non-bank consumer credit lender.

A subsidiary of Deutsche Bank and KKE, the company offers a wide range of consumer credit services, including unsecured personal loans, credit cards, car loans, personal insurance and interest-free retail financing.

In addition, Latitude offers major Australian retailers like Harvey Norman, JB Hi-Fi, David Jones and The Good Guys “buy now, pay later” (BNPL) programs.

One breach leads to another

According to the “cyber incident” notification, Latitude’s internal systems were hacked, allowing a malicious actor to steal an employee’s login. These credentials were then used to connect to two of the company’s service providers to steal customer data.

“To date, Latitude understands that approximately 103,000 identification documents, of which more than 97% are copies of driver’s licenses, were stolen from the first service provider.” explains Latitude.

“Around 225,000 customer records were also stolen from the second service provider.”

Latitude did not say whether the second provider’s records contain data similar to that of the first provider, i.e. IDs and driver’s licenses or other information.

BleepingComputer has requested a comment from the firm to clarify this, and we’ll update this story as soon as we receive a response.

Exposed customers are not expected to take any steps to protect themselves at this time. However, they are advised to remain vigilant as their stolen data may be used in phishing or social engineering attacks.

The company shut down several internal and customer-facing systems while responding to the incident and says efforts to contain the attack and prevent breaches or other customer data are still ongoing.

Although the public announcement has been made available to all customers, those directly affected by the security incident will receive personal notifications.