Latitude Financial Services says the cyber attack it's battling has resulted in the theft of about 7.9 million Australian and New Zealand drivers' licence numbers and about 53,000 passport numbers.
Latitude offers personal loans, car loans, credit cards and insurance in NZ under the Gem Finance brand. Its buy now pay later service Genoapay recently stopped accepting new customers. Victims of the cyber attack include Latitude customers, past customers and applicants. Latitude is the former GE consumer finance business.
The Australian stock exchange listed company first disclosed the attack on March 16, saying it had detected unusual activity on its systems over the last few days that appeared to be a sophisticated and malicious cyber-attack. Latitude says the activity is believed to have originated from a major vendor used by Latitude, with the attacker able to obtain Latitude employee login credentials before the incident was isolated. The attacker appears to have used the employee login credentials to steal personal information held by two other service providers, Latitude says.
In an update on Monday Latitude says, to the best of its knowledge, no suspicious activity has been observed in its systems since March 16.
"As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years," Latitude says.
"In addition, approximately 53,000 passport numbers were stolen. We have also identified less than 100 customers who had a monthly financial statement stolen. We will reimburse our customers who choose to replace their stolen ID document."
"A further approximately 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013. These records include some but not all of the following personal information: name, address, telephone, date of birth," says Latitude.
"Latitude maintains insurance policies to cover risks, including cyber-security risks, and we have notified our insurers in respect of this incident. We recognise that today’s announcement will be a distressing development for many of our customers and we apologise unreservedly."
A Latitude Financial NZ spokeswoman says the company is working through the data with the aim of providing a breakdown on the number of NZ victims. Those impacted in NZ will include some borrowers who have personal loans through Kiwibank, which are provided by Latitude.
Latitude says it's writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and its plans for remediation.
Internal Affairs has provided this information for New Zealanders whose passport details have been stolen in the attack. Waka Kotahi has provided this information for people whose drivers' licence information has been stolen.
Latitude recommends New Zealanders check their credit record to confirm if their identity has been used to obtain credit without their knowledge.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly," Latitude Financial CEO Ahmed Fahour says.
“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred."
“We urge all our customers to be vigilant and on the look-out for suspicious behaviour relating to their accounts. We will never contact customers requesting their passwords. We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days," says Fahour.
Latitude says the attack is being investigated by the Australian Federal Police, and it's working with the Australian Cyber Security Centre and its own cyber-security advisers.
Latitude's full statement is here.
And there's much more on cyber crime in this episode of our Of Interest podcast.
19 Comments
Latitude says the activity is believed to have originated from a major vendor used by Latitude, with the attacker able to obtain Latitude employee login credentials before the incident was isolated. The attacker appears to have used the employee login credentials to steal personal information held by two other service providers, Latitude says.
That doesn't sound sophisticated, that sounds opportunistic. If the attacker had also been able to compromise Latitude's MFA, that would be sophisticated. By the sound of it, Latitude didn't even use MFA.
- Blowfish
- SHA-256
- SHA-512
- MD5
- DES-based
..whatever
All these crypt (encryption) functions literally take ONE LINE of CODE to implement. To be honest they don't even take a third of a line to implement.
So really, I think it's time for fines.
XML and SQL injection can be largely mitigated by escaping strings - this LITERALLY takes less than 5 words!
Did they even have 2FA?
A complete failure of technical management of private data - a security audit from any security agency would pick these things up in a heartbeat and as you say, could be implemented quite quickly. Though I imagine the stack is old and spaghetti, that one line of code needed to be implemented 10s to 100s of times and no test coverage. All to save money. So yes, time for fines.
Fines - maybe a class action payout to customers would be a better solution - and a big one
So is this the same risk we are exposed to every time a solicitor or accountant etc asks for our identity information -I cant imagine that their security is any better than Gems has turned out not to be
Are you privy to information on how the data was stolen? The algorithms you mention suggest they did not encrypt data at rest? Yet they talk about access being gained from a compromised login account. This could have lead to access to the live system in which case encryption is moot.
Another possibility is the '3rd party vendor' is an IT outsourcer, possibly their account had access to the decription keys.
Security is complex, restricting access to those who shouldn't while allowing access for those that should. If you are relying on someone that thinks one line of code is all it takes then you are in trouble.
________________________________________________________________________________________________________
********************************************************************************************************************
If you are a regular reader on interest.co.nz, and concerned with the tenor of the comments as of late, can I please encourage you to raise your concerns directly with the Managing Editor of the site.
Gareth Vaughan is the Managing Editor. You can contact him at gareth.vaughan@interest.co.nz His direct line is +64 9 361-6881.
If you feel that a comment is bullying, harassment, hate speech, or extremism, then the appropriate external channel to register a complaint is Netsafe.
https://report.netsafe.org.nz/hc/en-au/requests/new
How about we all do our bit to get these posters removed, so we can get back to civil discussion.
________________________________________________________________________________________________________
********************************************************************************************************************
You don't need any sophisticated attacks.. A couple of years ago I wanted to open a kiwisaver account for my kids with one of the 2nd tier kiwisaver providers (not a default one) who had quite a good package for kids.
After my initial enquiry they asked me to email through my and my kids passport copies and other ID documents. When I questioned this practice - email being possibly the least secure form of communication online - they replied that they didn't have any other way and all their clients opened accounts for their kids that way.
I balked at that and told them what I thought of their security practices and went with a different provider who had the sign-up process on a secure website. I feel sad for all those poor, unfortunate souls who just handed that information over without questions..
If it's the only way they will accept it,
You could create a password protected email - send that to them then call them to tell them what the password is.
The email is never sent, rather, it sits on the mail server encrypted & kiwibank pulls straight off your mail server using the password.
I have done this before. doesn't need PGP.
No way. If their customer acquisition process is so lacking in basic data protection considerations, imagine what their back office operations must be like. I would have zero trust that they could keep my data safe and secure. To me that was negligent at best...
(They did not suggest password protecting the email)
The bigger issue is the fact that this information is required to be retained by the govenment due to this KYC legislation.
Its much like storing credit card information with a website for repeat purchases. If any of these providers security practices are shonky, then you are exposed.
I know I've said it before but just in case this hits a bigger audience and I see kiwibank is impacted by this for personal loan applications.
Request a permanent suppression of your credit report. You need to request this for all 3, centrix, illion and equifax. Note these agencies make a lot of money out of you credit data so they do not like doing this...well too bad.
Get new ID and charge Lattitude for it, be careful though with the drivers licence, ensure the replacement gets a new version number, it may be that simply renewing does not get you a new version number, otherwise the rest of the licence info is the same.
Hope this helps...also IDCARE are really good and have useful info and are free.
Kiwibank is only involved in the sense that it offers personal loans through Latitude - https://www.kiwibank.co.nz/personal-banking/personal-loans/
Passport wouldn't number wouldn't be a worry realistically, as the only thing it is primarily registered with is interpol, five eyes for travel movements. Renewing your passport and getting a new number doesn't change someone's ability to use the number for any other purposes once it is out there so worry not, NZ passport is the most securely made passport in the world with over 150 security features therefore is not worth the effort of even trying to forge one. I used to work for DIA and can confirm It isn't as bigger deal as you'd think, as one the info is out there it is out of your control entirely.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.