Latitude Financial data breach (ID data of millions)
What happened
On 16 March 2023, Australian consumer-finance company Latitude Financial announced it had detected a malicious cyber-attack carried out over the preceding days. According to the company, an attacker obtained an employee's login credentials through a third party and used them to access two service providers holding Latitude customer data. The breach was initially thought to be limited, but the scope expanded sharply as the investigation continued. By late March, Latitude said the incident affected roughly 14 million customers, former customers and loan applicants across Australia and New Zealand, making it one of the largest data breaches in Australian history.
According to iTnews and Latitude's own statements, the stolen data included about 7.9 million Australian and New Zealand driver-licence numbers, approximately 53,000 passport numbers, and personal details such as names, addresses, phone numbers and dates of birth, along with financial assessment data from around 900,000 loan applications. Latitude received a ransom demand but refused to pay, saying it would not reward criminal behaviour and that payment would not guarantee the data's destruction. The company engaged external security experts and authorities, offered to reimburse customers replacing identity documents, and later reported tens of millions of dollars in related costs. The OAIC opened a joint investigation with New Zealand's Privacy Commissioner.
Assessment
The incident appears to be a financially motivated criminal breach combined with attempted cyber-extortion, with no established state attribution; it should not be linked to any state actor on current evidence. The compromise of millions of driver-licence and passport numbers creates a lasting identity-theft and fraud risk for affected individuals, since such credentials cannot be easily reset. Latitude's refusal to pay aligns with Australian government guidance, though it offered no guarantee against later misuse of the data. The case spurred regulatory scrutiny and renewed debate over data-retention practices.
This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.