Latitude Financial Services data breach

On 16 March 2023, Latitude Financial Services — an Australian and New Zealand consumer-credit lender — publicly disclosed an active cyber incident affecting an estimated 330,000 records. Within two weeks, the scope expanded to 14 million records including 7.9 million Australian and New Zealand driver's licence numbers, making it the largest data breach in Australian financial-services history.

What happened

The intrusion began with stolen employee credentials purchased from criminal markets — the same credential-economy origin that drove the Medibank 2022 breach. The credentials had been harvested by an infostealer (likely RedLine or Raccoon) and surfaced on a Russian-language criminal forum in early February 2023.

The credentials in question belonged to a Latitude employee with access to two third-party service providers that hosted significant volumes of Latitude customer data — the providers were not named publicly but were assessed to be a customer-data management vendor and an identity-verification provider. The employee's account had single-sign-on access to both providers, and the credentials did not have multi-factor authentication enabled for those specific portals.

The attackers:

• Authenticated to the service providers using the stolen credentials.
• Pivoted within the provider environments to access bulk customer record databases.
• Exfiltrated approximately 14 million records over six weeks, January and February 2023.

Detection finally came on 15 March 2023, when Latitude noticed unusual outbound traffic from its environment.

Records exposed

• 7.9 million Australian and New Zealand driver's licence numbers (issued 2005–2023).
• 6.1 million records of names, addresses, dates of birth, phone numbers — some dating back to 2005.
• 53,000 passport numbers.
• 100+ monthly financial statements containing detailed payment history.

The age of the data — some records eighteen years old — was a particularly painful detail. Latitude had retained customer records from credit applications and loan products going back to 2005, when many of the affected customers were no longer active Latitude customers and had no expectation of ongoing data retention.

Refused ransom

On 11 April 2023, the attackers contacted Latitude with a ransom demand — reportedly approximately AUD $1 million for non-publication of the stolen data. Latitude's CEO Bob Belan publicly announced the same day that Latitude would not pay, citing the same Australian government guidance that had supported Medibank's earlier refusal:

• Payment provides no guarantee of deletion or non-publication.
• Payment funds further criminal activity.
• Payment may breach OFAC or Australian sanctions if the attackers are tied to designated entities.

As of the time of writing, the stolen data has not been published on a public leak site, though sample records circulated on criminal forums during 2023.

Impact

• 14 million records exposed, including 7.9 million driver's licences requiring reissuance for many affected residents.
• Direct cost: Latitude reported between AUD $76M and $95M before insurance.
• Class actions filed in Australian Federal Court remain ongoing as of 2024.
• OAIC enforceable undertaking in September 2024 — Latitude committed to substantial cybersecurity uplift in lieu of a civil penalty proceeding.

Why it matters

Latitude Financial is the second canonical Australian case (alongside Medibank) for the stolen-credentials + no-MFA-on-third-party vector. It established:

• That third-party service provider access is a primary attack vector for financial services. The breach was not against Latitude's own infrastructure; it was against vendors who hosted Latitude's data.
• That long-tail data retention is a major hidden liability. Records from 2005 were exposed in a 2023 breach because Latitude had no aggressive purge policy for inactive customer data.
• That driver's licence numbers function similarly to passport numbers as effectively-permanent identifiers. Reissuance is administratively expensive and creates downstream fraud exposure across all government and financial services that use the licence as identity.
• That two major Australian refusals to pay in successive years (Medibank 2022, Latitude 2023) have established a national posture distinct from the U.S. or U.K. ransomware-response culture — public refusal as default, with government coordination behind it.