Latitude Financial Data Breach

Latitude Financial was subject to a cyber-attack in March 2023 that resulted in the theft of personal information belonging to customers, former customers and applicants in Australia and New Zealand. Latitude says the incident involved unauthorised access to systems connected with service providers that held customer data.

Latitude has said the breach affected millions of people across Australia and New Zealand. Public reports and Latitude-related breach summaries refer to approximately 14 million customer records being stolen, including identity document numbers and other customer information.

Latitude has confirmed that stolen information included approximately 7.9 million driver licence numbers, 53,000 passport numbers and 6.1 million customer records containing personal information. Other affected information reportedly included names, addresses, telephone numbers and dates of birth.

Yes. Latitude has confirmed that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen. This is significant because driver licence numbers can be used in identity verification and may create long-term identity misuse risk.

Yes. Latitude has confirmed that approximately 53,000 passport numbers were stolen. Affected individuals should follow any instructions from Latitude or the relevant passport authority about whether replacement or additional monitoring is required.

Latitude has said that fewer than 100 current and former customers had a monthly financial statement stolen. Public legal commentary has also referred to income and expense information associated with some loan applications, including some bank account and credit card account numbers.

People who were current or former Latitude customers, or who applied for credit or finance through Latitude or related retail finance arrangements, may have been affected. Latitude provided finance through retailers including Harvey Norman, JB Hi-Fi and The Good Guys, as well as credit cards and personal loans.

Gordon Legal and Hayden Stephens & Associates have publicly stated that they are investigating potential legal action against Latitude. Hayden Stephens also states that a representative complaint has been lodged or conducted at the OAIC in conjunction with Gordon Legal. It is safest to describe the matter as an OAIC representative complaint and potential legal action unless a filed Federal Court class action is separately confirmed.

The Office of the Australian Information Commissioner and the New Zealand Office of the Privacy Commissioner commenced a joint investigation into Latitude. The investigation focuses on whether Latitude took reasonable steps to protect personal information and whether it took reasonable steps to destroy or de-identify information no longer required.

An OAIC representative complaint is a privacy complaint made on behalf of a group of people with similar claims. It can be used where many people are affected by the same alleged privacy interference. If the OAIC makes findings in favour of affected individuals, possible outcomes may include declarations, remedial steps or compensation, depending on the findings and evidence.

Potential compensation may depend on the process used and the evidence available. Relevant impacts could include identity document replacement costs, financial loss, time spent dealing with the breach, distress, anxiety, inconvenience, scam attempts, identity misuse or loss of control over personal information.

Affected individuals should read all Latitude breach notices carefully, follow official guidance, watch for scam calls and messages, change passwords where relevant, enable multi-factor authentication, monitor bank and credit accounts, and report suspicious activity to their bank, Scamwatch, IDCARE or other appropriate support services.

Customers should keep Latitude notification emails or letters, screenshots of scam messages, call logs, bank correspondence, identity document replacement receipts, credit reports, police or Scamwatch reports, IDCARE reference numbers, records of time spent dealing with the issue, and any evidence of financial loss, distress or identity misuse.

Yes. Exposed information such as names, dates of birth, addresses, phone numbers, driver licence numbers and passport numbers can be used in phishing, impersonation, identity fraud or social engineering attempts. Affected people should be cautious of unexpected calls, emails or texts claiming to be from Latitude, banks, government agencies, debt collectors or law firms.

Whether replacement is necessary depends on the information exposed and the rules of the relevant issuing authority. Affected individuals should follow official instructions from Latitude and the relevant state, territory or national identity document authority. Customers should keep receipts and records of any replacement costs.