Australian FinTech takes itself offline to deal with cyber incident that caused data leak
Latitude blames a 'major vendor' for its woes. Is that a vendor? A cloud? Whoever they are, they're in trouble
Latitude Financial has blamed a supplier for leaking creds that caused vast PII leak Australian outfit Latitude Financial has taken itself offline, and even stopped serving customers, while it tries to clean up an attack on its systems.
The listed company last week called a halt to trade in its shares and filed [PDF] news that it had “detected unusual activity on its systems over the last few days that appears to be a sophisticated and malicious cyber-attack.”
Intriguingly, the company told investors the attack “originated from a major vendor used by Latitude.” More on that later.
Latitude said the attack on the vendor exposed credentials of its staff, which were used to log on to two other service providers it uses for matter such as identity verification. Those creds were used to access over 100,000 identification documents from one service provider and 225,000-plus customer records from the other. Data accessed included details of drivers licenses, passports, and health insurance cards. Australia requires financial services operations to secure multiple forms of identification before opening accounts, so it is not unusual for Latitude to have held this data. New Zealand customers were also impacted.
In a Monday filing [PDF] Latitude revealed the attack is ongoing, so it has “taken our platforms offline and are unable to service our customers and merchant partners.”
The company said it hopes to restore capabilities gradually in coming days.
But it also warned that more customers – past and present – should expect their info has leaked. Even applicants for the company’s products were advised their data may have gone astray.
Taking its services offline means major Australian retailers – including Apple – can’t access Latitude’s consumer credit products that they offer as an alternative payment mechanism.
- Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward
- Australia asks FBI to help find attacker who stole data from millions of users
- Australia to 'stand up and punch back' against cyber crims
- Significant customer data exposed in attack on Australian telco
Latitude has gone through the usual process of apologising, engaging investigators, and hiring third part services to protect customers’ identities.
But it hasn’t identified that “major vendor” that was the source its troubles.
Considerable speculation has reached The Register regarding the identity of that major vendor. Was it a service provider? A telco? A software or hardware vendor? Or even a cloud?
In any of those scenarios, many other customers are at risk. The Register is therefore watching this one closely as the identity of the major vendor is at least as important as the troubles Latitude and its customers are facing. ®