The cyber-attack that has paralysed the operations of Latitude Financial for almost two weeks has evolved into the largest breach of customer privacy in the local financial services industry, with historical customers of the company most exposed to the security failure.
Latitude on Monday revealed that most of the customer records stolen by the unknown hacker are more than ten years old, which raises concerns about the security of information of at least 2 million former holders of the defunct Coles Myer card.
In a filing to the ASX, Latitude said that approximately 7.9 million driver licence numbers had been stolen from its systems and that only 40 per cent of those had been provided to the company in the last decade.
While most of the concern regarding the impact of the cyber-attack has focused on the customers of existing retail partners of Latitude such as Harvey Norman, it appears the incident might pose a bigger threat to customers of former GE Capital partners such as Coles and Myer.
Latitude also revealed that another 6.1 million customer records had been stolen that were generated between 2005 and 2013 when GE Capital was the exclusive issuer of the Coles Myer Card.
US-based GE Capital offloaded its Australian business in 2015 to a consortium led by Deutsche Bank and global private equity firm, Kohlberg Kravis Roberts.
The local arm was then re-branded as Latitude Financial and listed on the ASX in 2021.
The Coles Myer program was the most popular private label credit card in Australia throughout the first decade of the century.
At the peak of the program’s success in 2005, it had had almost 2 million cards on issue.
Accounting for normal annual cardholder attrition and acquisition, the card could have been used by up to 3 million customers of Myer and Coles in the eight years to 2013.
In response to questions from Banking Day about the potential fallout from the cyber-attack, a Coles spokesperson confirmed that the retailer had been seeking information from Latitude about the data breach.
“Coles continues to seek ongoing updates from Latitude Financial on its investigations,” the Coles spokesperson said.
“We have not received any notification that historical records about our customers have been exposed.”
In its statement on Monday Latitude gave no explanation for why it continued to hold sensitive customer information on its operating platform for up to 18 years.
Generally, it is a standard practice in Australian financial institutions to archive ageing customer data on discs or other storage devices that are remote from main operating platforms.
That would be the normal method for managing customer information in cases where there was no continuing product relationship with a financial services provider.
Coles ended its 20-year relationship with GE Capital in 2015 and has since used Citi Australia (now owned by NAB) to issue its loyalty credit card.
Myer’s partnership with Latitude was terminated in October 2017 when Macquarie won a tender to issue a new credit card sponsored by the national retailer.
A Myer spokesperson declined to answer questions from Banking Day on the potential fallout for its longstanding customers who held cards issued by Latitude and GE.
“Questions on this are best directed to Latitude and not something we are commenting on,” a Myer spokesperson said.
Banking Day has asked Latitude to clarify whether the personal information of subscribers to the Coles Myer card program had been compromised, but had not received a response before the publication’s deadline.
On Monday morning Latitude’s managing director Ahmed Fahour said the company would be writing to all affected past and present customers to outline the process for remediation.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident,” he said.
“We apologise unreservedly.
“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document.
“We continue to work around the clock to safely restore our operations.”
Technology consultants are reflecting on the likely long term impact of the breach event at Latitude, including the implications for outsourcing in the financial services sector.
The AFR reported on Sunday that the sensitive customer data held by Latitude was illegally accessed by the unknown hacker through the platforms of a technology partner, DXC Ltd.
Leading Sydney technology consultant Glenn Stafford said the incident would likely result in financial institutions conducting more in-depth due diligence on outsourcing partners.
“Criminal gangs are targeting technology and business process providers to financial institutions to illegally acquire customer information,” he said.
“That’s the big opportunity because the cyber criminals know that these providers have access to the data of financial institutions, telcos and energy companies.”
Stafford observed that the scale of the Latitude data theft might have been compounded by an unstructured approach to data management.