Latitude Financial - Data Breach

Update:

Latitude Financial confirms data hack is far worse than expected, with 7.9 million people's data stolen

https://www.abc.net.au/news/2023-03-27/latitude-far-worse-cy…

Another day, another data breach.

As of today, Latitude understands that approximately 103,000 identification documents, more than 97 per cent of which are copies of drivers’ licences, were stolen from the first service provider.

Approximately 225,000 customer records were also stolen from the second service provider.

Latitude Cyber Incident Update

Related Stores

Latitude Financial
Latitude Financial

Comments

  • +124

    I'm good, my data is already on the dark web through Optus and Medicare ;)

    • +9

      Totally desensitised ?

      • +96

        Look at the bright side, these days my spam emails and cold calls are fully personalised.

        • +7

          yeah, scammers know me way better than I do to myself

          • @vchar: yea that's why you often need to search garbage stuff, so you dont get personalized feed, (technically you do, but you yourself messed up your interests online by searching random junk)

        • +6

          I can't wait for the days when spam calls are actually nice people just trying to get a big enough sample of my voice to log into my ATO account.

          Sure, I'll get scammed, but at least it'll be pleasant.

          • +2

            @freefall101: Other day, I had a cold call, addressed by my first name, I'm like, "Sorry, this is David from the Cybercrime division", and the rude caller hung up :(

            • @boomramada: Yeah, I try that a lot - "Australian Federal Police - Cybercrime tracking division - how may I direct your call?"

            • +2

              @boomramada: Of course they hung up, they called the wrong number, they were after boomramada and got some David guy instead

    • +2

      May be you should buy them for 10$ from the scammers :)

    • +3

      man, can you list all your other companies you're with so i know to avoid them!?

    • It is pretty bad how useless Australian companies are at data protection.

    • You mean Medibank? My data too from these two.

  • +2

    I can't remember….did Latitude Pay need your Licence? Obviously Latitude Finance would.

    • +1

      When I signed up it didn't ask for mine, this was back in 2012

      • I think Latitude Pay only launched in 2019 🤔

        • +4

          They took over 28 degrees.

          https://www.28degreescard.com.au/

          • +1

            @Homr: Right but that's the credit card product - Latitude Pay is the Afterpay copy product, it's much more recent, which means it's not using old legacy ID data….

            • @Nom: If thats true then im ok right? Because i only their credit card product

              • +1

                @Homr: Not sure, we haven't yet had confirmation about which products the leaks were attached to 🤔

        • rebrand/sold off from GE finance/consumer loan whatever it was to now.
          https://www.latitudefinancial.com.au/about-us/media-releases…

          was doing the same thing anyway, consumer credit and "interest-free" credit via big retailers like Harvey.

    • +1

      Latitude pay needed licence details yes, copies of d/l as referenced in the OP no.

    • very good question. I only ever had a Latitude Pay account but I can't recall exactly what they needed.

      I don't think I supplied my DL, if i did, it was only the DL number, but not entirely sure?

      I know i did supply them with my credit card detail. This is what they used to withdraw the due repayments

    • Got mine as one of those interest free finance jobbies at Hardly Normal. License was taken then.

      It was forever ago and because of Optus my license is updated and I have moved, so most of the data is out of date anyway

  • +1

    ffuuuu

  • +43

    we will probably just get an apology email and they will obviously just get away scot-free with no repercussions as usual

    • +54

      Well of course. Why spend millions on security when you can just say "oops" instead.

      • +12

        Unfortunately you can spend millions on security and still get pwned.

        • +7

          Sounds exactly like those who don't want to spend anything on security.

          You can drive defensively and still being rear ended. Is this an excuse to not drive defensively ?

          You can use protection and still knock up the girl your with. So no to protection ?

          • +11

            @cameldownunder: What I understood from their statement is: “just because they got pwned doesn’t necessarily mean they chose to cheap out on security “ and it is clearly what they meant.
            Do you always twist people’s words to make yourself appear smarter?

            • -3

              @Save 50 Cent: Well
              A) I am smarter, that's a fact.
              B) You are confusing Cause and Effect.
              "just because they got pwned doesn’t necessarily mean they chose to cheap out on security" But the opposite is merely true: If you don't spend as in "cheap out" , then chances of successful cyber attack is huge

        • Unfortunately you can be a non smoker and still get lung cancer, so let's all light up?

          • +3

            @reactor-au: What ridiculous panda said. How do you know they weren’t spending $$$ on security?

            • @Cheaplikethebird: How do you know they were?

              Anyway, that wasn't the question, I was arguing against the insinuation that there's no point in risk reduction because you can't eliminate the risk altogether.

              • +2

                @reactor-au: Fair enough but that wasn't the point I was making. No matter what you do you still have humans in the mix.

            • @Cheaplikethebird: Because, as long as the consequences are low, and from my Knowledge it's up to a maximum of 50M, no company does. For security you need specialists, not just code monkeys, and nowadays 95% of developers are just that, code monkeys.

        • +2

          I would have charged them less than a million to explain to them why storing copies of drivers licenses is a terrible idea.

          Yes, you can never be 100% safe, but you can store your data in a way to minimize harm. Looks like they didn't do that, just like Optus and Medibank.

          I'm pretty sure storing copies of drivers licenses is illegal too.

          • @MrTweek: Totally agree with you there, as would most security professionals. I think the issue is, at least for current customers, that they need to have the drivers license that the contract was opened under on file in case there is ever a dispute.

            • +4

              @Cheaplikethebird:

              they need to have the drivers license that the contract was opened under on file in case there is ever a dispute

              No, they don't. They can verify all the details when you sign up and then dispose of the license.

              I'm an IT contractor, I've seen so many databases at big and small companies and I can tell you the main reason to store sensitive information is laziness and ignorance. Unless someone tells them they HAVE to be more careful, they won't even waste a single meeting on this.

            • +2

              @Cheaplikethebird: Probably stored "Plain Text" or PDF scan, not even encoded.

          • +2

            @MrTweek: Store it encrypted and keep the private key safe. But that's asking too much I guess.

    • +2

      Mate, we're talking about corporations here. That can't possibly be held accountable for anything just like our politicians.

    • Not so. Breaches must be reported to the privacy commissioner and there are hefty fines now.

      • Please link an article where "Hefty fines" have been dished out to OPTUS for example.

        • +1

          [https://www.theguardian.com/business/2022/oct/11/optus-could-face-millions-in-fines-as-two-new-data-breach-investigations-launched]

          It takes time for these things to be finalised.

          That said, the point of my post was that there are now penalties for breaches.

          • +1

            @imurgod: ( Penny ) penalties are not "Hefty Fines".

            there are hefty fines now. / It takes time for these things to be finalised.

            So there are no "Hefty Fines" yet. Just ….. investigations … ( leading to nowhere )

            • +3

              @cameldownunder: Sigh…. Sure thing

              $2.2M per event is nothing.

              Honestly, everyone is a genius these days despite knowing nothing.

              • @imurgod: Link ? Company ? Event ?

                • @cameldownunder: By your logic, people who run red light cameras won't be fined since they haven't been fined yet.

                  Show me your link to where it categorically states that companies won't be penalised for breaches and investigations will "go nowhere".

                • -1

                  @cameldownunder: https://ministers.ag.gov.au/media-centre/parliament-approves-governments-privacy-penalty-bill-28-11-2022#:~:text=The%20Privacy%20Legislation%20Amendment%20(Enforcement,the%20misuse%20of%20information%3B%20or

                  • @imurgod: That's the theory, like the "Fines up to" …..

                    • -1

                      @cameldownunder: The fines are law. Your comment is theory.

                      It's possible that it won't eventuate but you're talking like they've been simply let off.

                      All I said is that the breaches need to be reported and there are fines and penalties applicable.

                      • @imurgod: Yeah same law that condemned the Driver that rammed the car into killed 2 kids in the school class to what …. communal work ?

                        • -1

                          @cameldownunder: Pretty random comment but, no, that would be a different law for that very different crime.

                          There must have been mitigating circumstances.

                          Have you ever been to court?

                      • @imurgod: Even if they get a fine of 1-2 Mio ???

                        • @cameldownunder: Ooohhhh you think the total fine is $2M!

                          Mate, that's per item.

                          • @imurgod: We'll see

                            • -3

                              @cameldownunder: We will. You never know with a weak Govt like Labor but then they do hate business, just don't have smarts or balls to deal with them.

  • As of today, Latitude understands that approximately 103,000 identification documents, more than 97% of which are copies of drivers’ licences, were stolen from the first service provider. Approximately 225,000 customer records were also stolen from the second service provider.

    nice …

    thankyfully i never used them

  • +6

    The winner from this are the makers of licences; a few hundred thousand more replacement plastics to be issued?

    • QLD TMR no longer does this I think. Saw a note at one of their offices a while back.

    • +2

      Maybe time for VicRoads to get with the times and issue a digital drivers license…

      • They could I suppose, although a digital license is probably more at risk of exposure if all these data breaches are anything to go by.
        I've also noticed a few instances where digital licenses have not been accepted by some businesses.

  • +3

    dont they do the 28 degrees cards?

    • +5

      Yes they do

      • +8

        shit

        • +23

          Hello darkness my old friend.

          • +7

            @HardQuiz: I tried calling their helpdesk and all I get on the line is the Sound of Silence

            • +2

              @jv: That was your 99 999th comment, make next one count!

              • +1

                @nuker:

                make next one count!

                OK, done…

                • +2

                  @jv: Lol!
                  Counter broken??? I still se 99999!

    • +1

      28 degrees have been through several different owners right? I remember GE money, and at least one other before that.

      • +9

        Yeah, I signed up for 28 Degrees a million years ago, so any ID documents they would have had for me would have to be pretty old by now.
        At least, that's what I'm hoping.

        • yeah same!

        • +5

          I was thinking the same but my DOB & DL number hasn't changed.

          • +1

            @Mechz: same… i think i signed up 8 years ago… but I at least renewed my license since then, which now has a card number on it (prev one didn't), which I think most places need now to verify identity…

            Has anyone got an email yet? I haven't

    • +2

      I never provided any driver license photocopy to them to apply for my 28 degrees card. I think this is only for their afterpay equivalent (latitude pay).

  • +6

    "How do I know that my data is secure?"

    OMG they have the CHEEK to put this as an actual question when reporting a breach!!!
    And thats without the ting tong response they wrote

    Imagine getting paid to write that guff….easy money.
    .

    • But the answer is even better. They don't say your data is safe, just they are doing everything that can.

      • +1

        The data relating to what you spent,where and how much will be fiercely guarded and preserved. The rest… not so much.

  • +1

    I just tried to change my password, no call centre and no web access.
    I guess it's 'cut the hardline' approach to their insecurity.

    • 28degrees website is still available.. hoping that is good news (i can log in and change my password, but can't put a temp block on it)

      • the latitude app still allows

    • I think they are going under like others.. That has been my issue and they reject their price protection policy atm.

  • +19

    hardly a "hack"

    it said a login credential was taken and then used to access the system

    How many of these so called "hacks" are just really sloppy or poor quality security of data or systems (ie; user error or user laziness)

    • +1

      the "let's email the password to the new starter" policy might have something to do with it

    • +12

      Work in IT. Password hygiene among admins is f***ing terrible. The password policies we enforce on users, I've found most admins switch off those requirement for themselves.

      • +2

        thats why mfa is essential

    • Saw it was a “sophisticated attack”

  • copies of drivers’ licences,

    well at least after the optus stuff up, already got a new license re-issued … sigh

  • +3

    latitudefs.zendesk.com - is there support email [email protected] ? - wonders why there was a hack

    • Divserity and inculison!

    • +1

      should be latitudeFFS.zendesk.com :)

  • +1

    These are just the 1% that you hear about… the tip of the iceberg is not the iceberg

  • +12

    There should be a national independent standard of security protocols if companies wish to hold personal information. Yearly audits (basically have to be ISO certified to operate).
    If breached, massive fines and operations suspended until they sort it out and pass the requirements. Might give these companies incentive to invest in the right areas.

Login or Join to leave a comment