Latitude Financial Attack Costs Company Up to AU$105 MillionHackers Obtained Access Through a Compromised Credential
Australian consumer lender Latitude Financial Services anticipates its spring cybersecurity incident will cost it up to AU$105 million, which includes a five-week period during which debt collection systems were severely affected by the attack.
See Also: 2022 Unit 42 Incident Response Report
Hackers demanded extortion from the non-bank creditor after stealing data pertaining to 14 million customers, including nearly 8 million Australian and New Zealand driver's license numbers. They obtained access through privileged credentials acquired from a third party.
Other exposed information includes financial data from nearly 1 million loan applications, such as bank account numbers and payment card numbers. Latitude said most of the payment cards were expired or closed and that hackers did not obtain three-digit security codes or expiration dates.
The company said in April it would not pay the demand (see: Latitude Financial Refuses to Pay Ransom).
Latitude was able to process transactions during the incident, but "account originations and collections were closed or severely restricted." The company has since fully recovered, it says.
In a filing with the Australian Stock Exchange, the company estimated after-tax losses for the first half of 2023 will add up to between AU$95 million and AU$105 million. The amount does not include any potential costs the company could face from "regulatory fines, class actions, future system enhancements or an assumption of insurance proceeds."
In presentation slides released Friday the company said total containment and remediation costs from the attack will add up to AU$7 million.
Latitude shares fell 3.47% to AU$1.25 on Friday.