Latitude Financial rejects ransom demand after hack

Cassandra Morgan | April 11, 2023

Personal lender Latitude Financial is refusing to pay a ransom to cyber criminals after millions of customer records were stolen. 

The company said on Tuesday it could see no benefit to consumers in rewarding criminal behaviour.

“Latitude will not pay a ransom to criminals,” chief executive Bob Belan said.

“Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed and it would only encourage further extortion attempts on Australian and New Zealand businesses.”

About 7.9 million people had their driver’s licence details taken and about 53,000 passport numbers were stolen in the hack, which was detected last month.

Latitude also admitted an additional 6.1 million records dating back to at least 2005 were poached, including names, addresses, phone numbers and birth dates.

Fewer than 100 customers had a monthly financial statement stolen, Latitude told the ASX in March.

The attackers laid out what data they stole as part of the ransom threat and it was consistent with Latitude’s disclosure about how many customers were affected, the company said.

Australian Federal Police is investigating the hack and Latitude is working with the Australian Cyber Security Centre and cyber security experts.

The company is contacting all customers whose information was compromised, outlining what was stolen and its plans for remediation.

Latitude has insurance policies to cover risks, including cyber security risks, and has notified insurers about the hack. 

“Our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations,” Mr Belan said.

The company has not detected suspicious activity in its systems since March 16.

Cyber Security Minister Clare O’Neil confirmed Latitude’s decision to reject the ransom demand was consistent with government advice.

She said cyber criminals cheated, lied and stole, and paying them only fuelled the ransomware business model.

“They commit to undertaking actions in return for payment but so often re-victimise companies and individuals,” Ms O’Neil said on social media.

She wanted Australia to be the most cyber-secure country in the world by 2030 and said Australians had to deny hackers profits from their crimes to achieve that.

Cyber security company Palo Alto Networks’ regional chief security officer Sean Duca agreed with the approach but said it should be up to businesses and organisations to determine if they negotiate ransoms.

Mr Duca said they should consider whether attackers could prove they stole data and whether they were likely to give it up if a ransom was paid.

He said they should also weigh the value of the data lost, and the situation would be complicated if critical infrastructure such as a hospital was hacked.

Mr Duca said cyber insurance could help fund a company’s remediation efforts or ransom payments but it wasn’t a panacea and the Latitude hack should prompt organisations to take stock of their own data and consider whether they were holding on to it unnecessarily.

“If you don’t need to hold (data) beyond (a certain) amount of time … get rid of it,” he told AAP.

Mr Duca called for companies to be bound by a nationally agreed-on time frame for how long they should retain customer data beyond industry-specific requirements.