Latitude, a major financial service provider in Australia, has lost about 14 million customer records to a data breach. The incident was previously reported, but the original estimate was that just 328,000 records had been exposed.
Over half of the stolen records appear to be driver’s license numbers, terrible news for residents that may have already had to get new identification issued due to other major data breaches in recent months. The remainder of the records appear to be the contact information of loan applicants, but this particular set dates all the way back to 2005.
String of data breach woes for Australia dating back to 2022 continues after a short lull
Australia has suffered an unfortunate string of data breaches that now dates back months. Most of this came in late 2022, and there was a short break to start 2023 that made it appear if the trend was over. The hit on the financial services provider, along with other recent incidents, has brought the issue right back to the forefront of discussion.
The loss of driver’s license numbers (nearly eight million) is particularly galling to Australians. The Optus data breach that took place last year involved 2.1 million license numbers, and sent many people to government offices to get new IDs with new numbers issued. Some may be lining up a second time after this breach.
Another component of the data breach that is raising ire is the age of the records involved. Some date back over 15 years, to long before the financial service provider had reorganized as Latitude. Australian law only requires financial records to be held for a minimum of seven years, and the current privacy law stipulates that they must be either fully anonymized or destroyed if the holder no longer has a clear purpose for them.
Financial service provider loses loan application, ID number information
Latitude is a non-bank financial service provider offering personal loans, insurance and credit cards. Given the information it is sitting on, the data breach could have actually been a lot worse. Almost eight million driver’s licenses and six million more files of personal information is certainly very bad, however. Some of the personal information looks to have been taken from the company’s previous existence as a subsidiary of GE Capital and the Australian Guarantee Corporation.
The data breach also impacts customers in both Australia and New Zealand; some New Zealanders may have also had driver’s license numbers exposed. Most of the stolen records that do not contain driver or passport numbers are from prior to 2013.
The financial service provider is also saying that fewer than 100 monthly financial statements were also exposed. Given that the data breach numbers were revised so heavily in under two weeks, customers are probably not completely in the clear with these just yet.
One piece of good news is that the stolen data has not yet surfaced on the dark web. There is also not yet any indication of who the culprit is.