Cyberattack sees Australian fintech take offline • The Register
Latitude Financial has accused a vendor of leaking credit that caused a massive PII leak. Australian outfit Latitude Financial has taken itself offline, and even stopped serving clients, as it tries to clean up an attack on its systems.
The listed company last week halted trading in its shares and filed for bankruptcy [PDF] news that it had “detected unusual activity on its systems in recent days that appears to be a sophisticated and malicious cyber attack.”
Intriguingly, the company told investors that the attack “originated from a major vendor used by Latitude.” More on that later.
Latitude said the attack on the provider exposed the credentials of its employees, which were used to log into two other service providers it uses for things like identity verification. These credits were used to access over 100,000 identification documents from one service provider and more than 225,000 customer records from the other. Data access included details of driving licences, passports and health insurance cards. Australia requires financial services to secure multiple forms of identification before opening accounts, so it’s not unusual for Latitude to have this data. New Zealand customers were also affected.
In a Monday filing [PDF] Latitude revealed that the attack is ongoing, so it has “taken our platforms offline and is unable to serve our customers and trading partners.”
The company said it hopes to gradually restore features in the coming days.
But it also warned that more customers – past and present – should expect their information to have been leaked. Even applicants for the company’s products were informed that their data may have gone astray.
Taking its services offline means major Australian retailers – including Apple – cannot access Latitude’s consumer credit products which it offers as an alternative payment mechanism.
Latitude has gone through the usual process of apologizing, engaging investigators and hiring third-party services to protect customers’ identities.
But it has not identified the “major supplier” that was the source of the problems.
Considerable speculation has reached The register regarding the identity of the major supplier. Was it a service provider? A phone? A software or hardware vendor? Or even a cloud?
In all these scenarios, many other customers are at risk. The register therefore pay close attention to this page, the identity of the main supplier is at least as important as the problems facing Latitude and its customers. ®