Statement Of Notification
On 16 March 2023, Latitude1 announced that it had experienced a malicious cyber-attack over the prior few days that resulted in a data theft.
Our investigation identified that the cybercriminals used a compromised credential, obtained via a third-party, to access Latitude's network and steal personal information.
We immediately alerted relevant authorities and law enforcement agencies, including the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), and engaged external cyber security specialists to work alongside our own teams.
This crime remains under investigation by the AFP. We also notified the Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) about the incident on 16 March 2023, and we continue to work with them.
What kind of information has been impacted?
The attack resulted in different kinds of personal information being compromised. The personal information was provided to Latitude and/or one of our predecessor companies in Australia and New Zealand, including GE Money, Australian Guarantee Corporation (AGC), Pacific Retail Finance or AVCO, when customers made an enquiry, sought a quote, or applied for a personal loan, motor loan or other credit product, including credit cards branded as Gem, GO, CreditLine, Buyer's Edge or in the name of a retailer. The information was used to verify identity and/or to assess and process applications.
The kinds of personal information that were compromised could include some or all of the following for an affected customer:
- Names, contact details, dates of birth
- Images and/or numbers of driver licences, passports, or other identification documents such as proof of age cards
- Medicare card details
- General financial information which was provided as part of an application, including details about employment, income and expenses.
Bank account passwords and expiry dates/3-digit CVC numbers for credit cards were not compromised.
Notification of affected customers
Since the attack, we have attempted to directly notify, via email or letter, customers who had an identification document (such as a driver licence or passport), Medicare card and/or financial information compromised.
The direct notifications described the compromised information of the affected customer (but did not include the compromised information itself) and provided specific guidance and recommendations on steps that the affected customer could take to protect themselves.
We completed the above notification process for the vast majority of affected customers by 30 June 2023.
This Statement is a notification to those affected customers whom we have not contacted directly, or who have not successfully received a direct notification email or letter from us.
Steps we are taking to help affected people
We are fully aware that having any personal information compromised is likely to be distressing and concerning. We have therefore put in place the following measures to support all of our customers.
Customers can contact us on (AU) 1300 793 416, 9am–6pm, Monday — Saturday, or (NZ) 0800 777 885, 9am–6pm Monday to Friday, excluding public holidays.
Please be aware that wait times may be longer than we would like.
If customers are concerned that they may be in a vulnerable position because of this incident, our dedicated team will be able to provide appropriate support and assistance.
If you are concerned about the impact of the theft, IDCARE expert Case Managers can be contacted at www.idcare.org or call (AU) 1800 595 160, 8am–5pm AEST, or (NZ) 0800 121 068, 10am–7pm NZST, Monday – Friday (excluding public holidays).
Please use the referral code LAT23.
IDCARE's services are available at no cost.
Where needed we will reimburse customers for the replacement cost of their stolen ID document.
- Customers have the right to make a complaint to us in the first instance or to the OAIC at oaic.gov.au/privacy/privacy-complaints/what-you-can-complain-about or to the OPC at privacy.org.nz/your-rights/making-a-complaint
Steps that affected customers can take to protect themselves
In addition to the actions that we are taking to help customers, there are precautions that customers should take to protect themselves. Please refer to our webpage latitudefinancial.com.au/latitude-cyber-incident for our recommendations on steps that customers should take.
1 In Australia, this statement is given by Latitude Financial Services Australia Holdings Pty Ltd (trading as Latitude Financial Services) on behalf of Latitude Finance Australia (ABN 42 008 583 588), Latitude Personal Finance Pty Ltd (ABN 54 008 443 810), Latitude Automotive Financial Services Pty Ltd (ABN 80 004 187 419), Hallmark General Insurance Company Ltd (ABN 82 008 477 647) and Hallmark Life Insurance Company Ltd (ABN 87 008 446 884), as applicable, as well as Symple Loans Pty Ltd (ABN 65 624 150 849) and LatitudePay Australia Pty Ltd (ABN 23 633 528 873). In New Zealand, this statement is given by Latitude Financial Services Ltd (NZ5624865), on its own behalf and on behalf of the New Zealand branches of Hallmark General Insurance Company Ltd (ABN 82 008 477 647) and Hallmark Life Insurance Company Ltd (ABN 87 008 446 884), and Latitude Innovation Holdings Limited (7146597) as applicable.