As a communications professional working in the cybersecurity industry, I’m well-versed when it comes to data breaches. They’re something I read and write about almost every day. In fact, I hear about them so frequently that I’ve probably become somewhat desensitised, and often catch myself thinking, “Only emails and first names were compromised? No big deal.” In reality, every breach is a big deal, especially for those caught in the crossfire. However, some breaches certainly make a bigger splash than others.
With approximately 68 records stolen every second around the world, it’s no surprise that I, like many others, have fallen victim to several data breaches. When I enter my email on Have I Been Pwned, I’m shown that my personal information has been compromised in more than ten attacks. However, given that an estimated 75% of data breaches go unreported, coupled with the fact that breaches I’m aware of aren’t even listed, the actual number of breaches involving my data is likely much higher.
Most recently, I was one of 200 million that had their details exposed in a Twitter data breach. My details, along with 9.7 million others, were also stolen in the October Medibank hack, and even my childhood Neopets account was compromised in an attack last year that impacted almost 70 million individuals.
The majority of these breaches included my name, email address, and in some instances, passwords, which have since been changed. These details are largely used in phishing or vishing/smishing attacks, and given my background in cybersecurity, I’m confident in my ability to detect and defend myself against these scams (if you need help with this, check out our guide on “What is phishing?” or “How to avoid vishing & smishing scams as attacks continue to rise”), so although it’s not a comfortable feeling knowing that your data could be used in malicious attacks, I’ve never been too concerned.
That was until I received an email from Latitude Financial last week.
Latitude Data Breach
On the 16th of March 2023, Latitude Group Holdings made a statement that confirmed they had suffered a cyberattack, and that by using an employee’s login credentials, the attacker was able to access approximately 225,000 customer records and over 103,000 personal documents. Of those documents, they estimated that 97% were driver’s licences, and just days later, Latitude revealed that copies of passports, passport numbers and Medicare numbers had also been stolen.
However, on March 22nd, Latitude stated that further investigations had shown that there had been a “large-scale information theft affecting customers (past and present) and applicants across Australia and New Zealand”, and on the 27th, it was revealed that the total number of affected customers was more than 14 million, making it the largest data breach of any Australian financial institution. The breached data included:
- 7.9 million Australian and New Zealand driver's licence numbers
- More than 50,000 passport numbers
- 100 monthly financial statements
- 6.1 million records dating back to at least 2005
- Customer names, dates of birth, addresses, and telephone numbers
The Aftermath
When the news broke about Latitude’s data breach, I thought I was in the clear. To the best of my knowledge, I had never been a customer of Latitude’s. I’ve never applied for credit with them directly, and any loans or credit cards have been through separate financial institutions. Or so I assumed.
Last week, I received an email from Latitude confirming that I was indeed impacted by their data breach. However, this didn’t provide a great deal of clarification, with the email stating that the details that were compromised were “collected from you at the time you applied for credit from Latitude or our predecessor companies.” A quick look at their website told me that their predecessor companies include “GE in Australia and New Zealand, including Nissan Finance, AVCO Financial (including Hallmark Insurance) and AGC.” Once again, I hadn’t knowingly applied for loans through any of these companies.
After doing some deeper research, Latitude’s reach goes a lot further than that email would make it seem.
A recent ABC article stated:
Even if you haven't had direct contact with the company as Latitude Financial, if you had any connection with GE Money — whether that be applying for a credit card or personal loan, or actually taking one out — that's likely how you are implicated.
If you've taken out a payment plan with a major retailer like Harvey Norman, Domayne or Apple in recent years, there is a good chance your data has been involved in the Latitude breach.
And since that article, Coles has confirmed that despite switching financial services from Latitude to Citibank in 2018, “personal information used to issue historical Coles-branded credit cards” was stolen in this attack. While I haven’t intentionally provided any of these businesses or groups my data, until more organisations come forward, I’m simply left guessing how they could have obtained my personal information.
For now, my best guess is my car loan. Given I purchased my car in 2018 and paid it off two years ago, it’s frustrating to think that my data, including a copy of my driver’s licence, has been kept on file that entire time. For what purpose? I’m no longer a customer; there’s no need to verify my identity.
Under the Office of the Australian Information Commissioner’s (OAIC) Guide to Securing Personal Information, they provide the below “Information Lifecycle” as a recommendation for businesses.
When it comes to customer data, Australian businesses are directed to “destroy or de-identify the personal information when it is no longer needed”, but there’s no clear direction on how this is determined. Essentially, the onus is placed on the business to decide what is a reasonable length of time to hold on to data. I’m sure you can see the issue with this. Latitude has since faced backlash for the length of time they’ve held on to customer data, with critics and cybersecurity experts stating that 18 years is unreasonable.
Although the OAIC is currently reviewing this guide, and Australia’s federal government is in the process of strengthening online privacy laws, it still feels as though protecting customer data isn’t taken seriously enough.
Last year, before the slew of data breaches that have occurred in Australia in the past six months, we questioned, “Are businesses taking data security seriously?”. The answer at the time was a resounding no, and to me personally, it seems that not much has changed. However, it’s not solely the responsibility of businesses to ensure that customer data is protected. The government must also take a more proactive role in creating clear-cut regulations that promote data security and hold businesses accountable for any lapses or breaches that may occur.
What have I done?
My first step was to investigate getting my licence reissued.
In the email I received, they linked to a page that lists specific requirements for licence reissuing in each state. Although Latitude made the promise to reimburse the costs associated with replacing licences, as I’m based in Melbourne, VicRoads has committed to doing this free of charge for those that are compromised in cyberattacks.
The instructions were:
Shortly, VicRoads will directly contact impacted customers to confirm their licence details have been flagged on the Victorian Licensing Registry and when they can expect to receive their new card.
The Victorian Government will also activate a two-factor authentication process for essential identity verification checks for affected customers to provide an additional layer of protection. This will require impacted customers to provide both their licence and card number as part of any authentication processes.
After doing some research online, VicRoads do also provide a number (13 11 71) that you can call to arrange a replacement for compromised licences or permits, but rather than clog their typically busy lines, I decided to wait as instructed – for now. Knowing just how easy it is for cybercriminals to carry out identity fraud, waiting makes me feel like a sitting duck. Especially given my data has been in the wrong hands for more than a month now.
The next step was to check my credit. In their email, Latitude states, “You can contact one of Australia’s credit reporting agencies for a credit report to check if your identity has been used to obtain credit without your knowledge”. Fortunately, I already had an account with a credit reporting agency that showed that there had been no unusual activity in my name.
After reading through advice on the agency’s website, I chose to temporarily freeze my credit. This means that “Credit Reporting Bodies are not able to disclose your Credit Report to lenders to prevent credit being acquired in your name”, and the ban lasts for 21 days unless you choose to end or extend it. It took just seconds to set up, I’ll be notified if anyone attempts to apply for credit in my name, and most of all, it will give me peace of mind until my licence is reissued.
The other advice that Latitude provides includes:
- Be alert for any phishing scams that may be sent via SMS, phone, email or post.
- You should always verify the sender of any communications you receive to ensure they are legitimate.
- You should never click on links contained in SMS or email messages unless you know they are from a legitimate source.
- Be careful when opening or responding to texts from unknown or suspicious numbers.
- Be careful when answering calls from private numbers or callers originating from unusual geographic locations.
- You should regularly update your passwords and ensure they are strong. You should use multi-factor authentication where possible.
And, if you have any questions about what the breach means for you, or you think your identity has been compromised, Latitude has partnered with IDCARE, which is an identity and cyber support community service for those in Australia and New Zealand.
Ultimately, data breaches are confusing and frustrating, and for some, downright frightening. When your data has been compromised, it truly is a waiting game. Waiting to find out if you were impacted, waiting for VicRoads to call, and waiting to see if your personal information will be fraudulently used. And unfortunately, there’s rarely a resolution. All that we can hope for is stricter laws surrounding data collection and privacy which will help protect customers in the future.
Data breaches can be extremely confusing, frustrating, and even frightening for some. Once your data has been compromised, you’re left with a sense of uncertainty and helplessness as you wait to find out if you were impacted, wait for VicRoads to call, and wait to see if your personal information will be fraudulently used.
Unfortunately, there’s often no clear resolution to these situations. However, stricter laws surrounding data collection and privacy could help protect customers in the future, and we can only hope that such measures will be put in place to prevent incidents such as this from happening again.
Fortify your defences
If you have also been impacted by Latitude's data breach and don't currently have any email security solutions in place, or you're unhappy with your current provider, now is a crucial time to strengthen your cyber position.
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack.
For more information about how MailGuard can help defend your inboxes, reach out to our team at expert@mailguard.com.au.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates with the button below.
