Australian lending giant Latitude Financial Services (Latitude) is warning customers that its data breach is much larger than initially announced, taking the number of people affected from 328,000 to 14 million.

Australian lending giant Latitude Financial Services (Latitude) has issued an updated data breach notification warning customers that the breach is much larger than initially stated, increasing the number of affected people from 328,000 to 14 million.

On March 16, 2023, the Australian personal loan and financial services provider disclosed a cyber incident where a malicious actor stole an employee’s login to breach two of the company’s service providers holding Latitude’s customer data.

At that time, the company estimated that the intruder had accessed around 328,000 customer records, mostly driver’s licenses.

Latitude’s response included shutting down customer-facing systems to contain the attack while investigations to reveal the full extent of the impact continued.

14 million people affected

Unfortunately, after further investigating the incident, Latitude revealed that the impact of the incident is far greater, and it is now believed to have affected 14 million customers or loan applicants from Australia and New -Zealand.

“As our forensic examination continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driving license numbers have been stolen, of which approximately 3.2 million, or 40 per cent, were taken from us. been provided in the past 10 years”, reads the new statement.

“About 6.1 million additional documents dating from at least 2005 were also stolen, of which about 5.7 million, or 94%, were provided before 2013.”

The 6.1 million customer records also include customers’ full names, addresses, phone numbers and dates of birth.

Additionally, Latitude discovered that the attackers stole approximately 53,000 passport numbers.

Latitude says they will reimburse those who wish to replace their stolen identification documents and recommends customers monitor their credit reports for any fraudulent activity.

Instructions for signing up for protection services are attached to the notices sent to data subjects and to the public statement.

The Australian Federal Police (AFP), which is assisting Latitude with ongoing investigations, has also announced that it expansion of “Operation Guardian” to help protect Latitude customers from cybercriminals who attempt to exploit disclosed personal data.

Law enforcement reminds the public that buying stolen information online is a criminal offense punishable by up to 10 years in prison.

“It is extremely disappointing that such a large number of additional clients and candidates have been impacted by this incident. We unreservedly apologize,” said Latitude CEO Ahmed Fahour.

“We are committed to working closely with customers and affected applicants to minimize risk and disruption to them, including reimbursing costs if they choose to replace their ID. We are also committed to perform a full review of what happened.”