Latitude/Gem outline the extent of their data breach, the measures they are taking, and the reimbursements they will make to affected clients, which could total 14 mln people in Australia and New Zealand, and records back to 2005

Latitude / Gem clients today (Saturday) received this email from the company regarding its massive data breach.

Dear [client],

Latitude recently experienced a significant and malicious cyber-attack which resulted in data being stolen from our systems. It is with deep regret that I am sharing with you that some of your personal information was compromised.

As Latitude’s incoming CEO, I want to apologise for the impact that this incident has had on you. Know that we are committed to helping you through this process and hope that, in time, we are able to win back your trust.

This email explains what happened, the support we are offering you and the precautions we recommend you take to lower the risk of your information being potentially misused. Be assured, if you choose to replace your licence, we will reimburse you.

Please take a moment to review the information below and contact us with any additional questions or concerns that you may have. Our dedicated customer service team is ready to help and can be reached on (AU) 1300 793 416 or (NZ) 0800 777 885, 9am – 6pm, Monday – Friday.

You can also stay up to date with the latest information on this matter by visiting our website: latitudefinancial.com.au/latitude-cyber-incident

Again, please accept my sincere apology. Know that we are working around the clock to restore our systems safely and to ensure that you are supported throughout this process.

Sincerely,

Bob Belan
Chief Executive Officer (Designate)
Latitude Financial Services

What happened?

Latitude experienced a malicious cyber-attack that has resulted in a data theft.

Our investigation has identified that the attacker used compromised login credentials, obtained via a third-party, to access Latitude’s network and steal personal information.

We immediately alerted relevant authorities and law enforcement agencies, including the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP), and engaged external cyber security specialists to work alongside our own teams.

This crime is now under investigation by the AFP.

We also notified the Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) about this incident on 16 March 2023, and we continue to update them on developments.

You have the right to make a complaint to the OPC. They are contactable at their website: privacy.org.nz

What kind of information has been impacted?

We have so far identified that the attack resulted in the following kinds of your personal information being compromised. This information was collected from you at the time you applied for credit from Latitude or our predecessor companies.

Unless we have explicitly notified you, images of your identification document(s) have not been compromised.

• The licence number on the driver licence you provided us as part of your application.
• The personal information you provided us as part of your application which, where applicable, included your full name, address, date of birth and phone number.

If we identify any other of your personal information has been compromised, we will notify you as quickly as possible.

Steps we are taking to help you

Replacement of identity documents

Please visit our website latitudefinancial.com.au/latitude-id-information and go to the relevant identify document page for guidance on what to do.

Please read the guidance carefully. In many cases, you may not need to replace your identity document.

We are working with government agencies/departments to streamline the process and avoid you being charged for any required replacement of your licence.

If you choose to replace your licence before this process has been set up, Latitude will reimburse you for the replacement cost. Please retain a copy of your payment receipt and we will advise you of the reimbursement process once our system functionality has been restored.

Latitude Dedicated Contact Centre

We have established dedicated contact centres which are available 9am – 6pm, Monday – Friday on (AU) 1300 793 416 or (NZ) 0800 777 885.

Our teams can help you understand the information provided in this letter. Please be aware that wait times may be much longer than we would like.

Support is available for customers who are in a uniquely vulnerable position as a result of this incident. Our dedicated contact centre teams will be able to provide direct access to the support we have available.

IDCARE Support

Latitude has partnered with IDCARE, Australia and New Zealand’s national identity and cyber support community service. They have expert Case Managers who can work with you in addressing concerns in relation to personal information risks and any instances where you think your information may have been misused. IDCARE’s services are at no cost to you.

If you wish to speak with one of their expert Case Managers, please visit idcare.org or call (AU) 1800 595 160 or (NZ) 0800 121 068, Monday – Friday (excluding public holidays).

When engaging IDCARE, please use the referral code LAT23.

Mental Health Support Line

Mental Health and Wellbeing Support is also available free of charge through our Support Lines on (AU) 1800 808 374 or (NZ) 0800 808 374.

Steps you can take to protect yourself

There are immediate precautions that you can take:

You can contact one of Australia’s credit reporting agencies for a credit report to check if your identity has been used to obtain credit without your knowledge.

In New Zealand, you can check your credit record to confirm if your identity has been used to obtain credit without your knowledge. For further information, please refer to: govt.nz/browse/consumer-rights-and-complaints/debt-and-credit-records/check-your-own-credit-report

You can also request the agencies to place a credit ban or suspension on your credit file via their website or by contacting them directly. Please be aware that you will not be able to apply for credit while the ban or suspension is in place.

      Illion

      AU 1300 734 806 or illion.com.au/credit-report-ban-request
      NZ 0800 733 707 or illion.co.nz

      Equifax

      AU 138 332 or equifax.com.au/eform/submit/credit-ban
      NZ 0800 692 733 or equifax.co.nz/credit-file-suppression

      Experian

      AU 1300 783 684 or experian.com.au/consumer/request-a-ban

      Centrix

      NZ 0800 236 874 or centrix.co.nz/my-credit-score/suppress-your-credit-file

You can find information on how you can protect yourself from the Australian Government at cyber.gov.au or the New Zealand Office of the Privacy Commissioner at privacy.org.nz/resources-2/protecting-yourself-from-a-privacy-breach

Be alert for any phishing scams that may be sent via SMS, phone, email or post.

You should always verify the sender of any communications you receive to ensure they are legitimate.

You should never click on links contained in SMS or email messages unless you know they are from a legitimate source.

Be careful when opening or responding to texts from unknown or suspicious numbers.

Be careful when answering calls from private numbers or callers originating from unusual geographic locations.

You should regularly update your passwords and ensure they are strong. You should use multi-factor authentication where possible.

Further information

The latest information is available on our dedicated webpage: latitudefinancial.com.au/latitude-cyber-incident

You can also view Latitude’s announcements to the ASX via the ‘News Room’ on our website: latitudefinancial.com.au/about-us/news-room

On behalf of the team at Latitude, I am very sorry that I have had to send you this email. Thank you for your understanding and patience.