Latitude Group (ASX: LFS) requested its shares be suspended from trading on the Australian Stock Exchange (ASX: ASX) this morning prior to revealing it would take ‘days’ to restore its platforms which are currently offline due to an ‘active’ cyber attack on its systems.
The development comes after Latitude, which offers a personal loans platform, was hit by a ‘sophisticated and malicious’ cyber incident last week that resulted in approximately 330,000 customers having their personal information stolen.
In an update released today, Latitude said it had ‘immediately’ engaged cyber security experts and government agencies to get on top of the ongoing attack on its systems.
Further, the company said that it took the ‘prudent action of isolating some of [its] technology platforms’, meaning it cannot onboard new customers.
“Because the attack remains active, we have taken our platforms offline and are unable to service our customers and merchant partners,” said Latitude, which sells a variety of financial products including credit cards under the brand names CreditLine, Buyer's Edge and Care Credit.
“We cannot restore this capability immediately, however we are working to do so gradually over the coming days and ask our customers for their continued patience.”
The company also said it was conducting a forensic review of its IT platforms to identify the full extent of the theft of customer information.
So far, the company believes 330,000 customers had their personal information stolen, the majority of which (96 per cent) was copies of drivers’ licences or driver licence numbers. Less than 4 per cent of the data stolen was copies of passports of passport numbers, while the rest was Medicare numbers.
“As our review deepens to include non-customer originating platforms and historical customer information, we are likely to uncover more stolen information affecting both current and past Latitude customers and applicants,” Latitude said.
“We will provide a further update when we have more information to share.”
LFS CEO Ahmed Fahour apologised to affected customers for the ‘distress and inconvenience this criminal act has caused’.
“I understand fully the wider concern that this cyber-attack has created within the community.” Fahour said.
“Our focus is on protecting the ongoing security of our customers, partners and employees’ personal and identity information, while also doing everything we can to support customers and applicants who have had information stolen.
“While we continue to deliver transactional services, some functionality has been affected resulting in disruption. We are working extremely hard to restore full services to our customers and merchant partners and thank them for their patience and support. We understand their frustration. Customers should refer to Latitude’s website for regular updates.”
Latitude also said it was reaching out to impacted customers to let them know what personal information was stolen, and give them advice as to steps from here with regard to protecting their identity.
The firm has engaged IDCARE - a not-for-profit specialising in providing free, confidential cyber incident information and assistance - and established dedicated contact centres for impacted customers in Australia and New Zealand.
A review will also be undertaken to fully understand how the cyber attack happened.
“This review will help Latitude to most effectively safeguard our customers, partners and platforms, while contributing to the continued fight against cyber-crime on Australian businesses,” Latitude said.
The company is still assessing its anticipated total cost, including the cost of the support it intends to provide to customers.
Today’s update comes after intellectual property law giant IPH Limited (ASX: IPH) and two of its member firms were also hit with a cyber incident last week.
According to IPH, the cyber incident was primarily limited to the document management systems (DMS) of its head office and two of its member firms in Australia - Spruson & Ferguson and Griffith Hack, as well as the practice management systems (PMS) of the two firms.
The legal giant, which also counts AJ Park, Pizzeys, Smart & Biggar and Applied Marks as group members, said the unauthorised access to its IT environment occurred on 13 March - one day before the company went into a trading halt to address the issue.
Unlike Latitude, IPH is yet to give investors any update on the situation at the time of writing.
It also follows the high-profile cyber attacks at telco Optus and private health insurer Medibank (ASX: MPL) - the latter of which led to class action law suits on behalf of affected customers.
Four different class actions were launched against MediBank following a data security breach last year that resulted in the personal data of 9.7 million Australian customers being stolen by cyber criminals.
This includes a class action from international law firm Baker McKenzie, while three separate actions from Maurice Blackburn, Bannister Law and Centennial Lawyers were combined.
Optus meanwhile is not the subject of any formal class action law suit, however Maurice Blackburn and Slater & Gordon are both investigating the potential for legal action following the telco’s data breach in 2022.
The Optus cyber attack exposed almost 10 million current and former customers to identity theft, and any class action could result in a large payout to those affected.
Get our daily business news
Sign up to our free email news updates.
Help us deliver quality journalism to you.
As a free and independent news site providing daily updates
during a period of unprecedented challenges for businesses everywhere
we call on your support