'As bad as it gets': Extent of Latitude hack revealed

Exclusive: The array of deeply intimate financial information today confirmed as stolen in the Latitude hack is “as bad as it gets”, a cyber privacy expert has declared, leaving 290,000 victims potentially vulnerable to blackmail, extortion and theft.

The 290,000 people affected are part of the 14 million overall customer records known to have been stolen in the breach.

Today’s revelations depict an alarming level of exposure, privacy expert Dr Brendan Walker-Munro told 9news.com.au. 

“In terms of exploitation, this is as bad as it gets,” Walker-Munro said.

“With Medibank the danger was criminals using the stolen data to blackmail or harass people with vulnerable or compromising medical conditions.

“Here, they can just go straight for the money.”

The full extent of the hack has grown significantly worse since the company revealed the attack in March.

Walker-Munro said the breadth and specificity of information taken from 290,000 customers allowed anyone who holds it to essentially mimic a victim’s legal identity to a financial institution.

“A criminal could apply for bank accounts, loans, credit cards – the works.”

“This means they don’t have to try to game the algorithms behind the credit decisions by making up ‘believable’ numbers.”

Hackers can also potentially use that detail to access accounts already held in the name of that customer, he said, or to try and get more information about the person from a government department.

Almost 8 million drivers licenses are known to have be stolen.

Walker-Munro also warned of the possibility that hackers could use this kind of highly personal information in a direct blackmail or ransom scenario.

Read Related Also: Rumble Boxing's Noah Neiman spills celebrity fitness and diet secrets

A victim could get a phone call from criminals threatening to expose how close they are to bankruptcy, or their level of debt, unless a ransom of Bitcoin was paid.

“You have to remember that, statistically, at least some of the customers in the hacked data were having debts recovered from them by Latitude for overdue payments, contract breaches and other things,” he said.

A Latitude spokesperson confirmed “approximately 290,000 BSB and account numbers provided for personal loan disbursements, as well as income and expense information used to assess loan applications”, were compromised in the March cyber-attack.

“No account passwords were stolen,” the spokesperson told 9news.com.au.

“Some cancelled or expired credit card numbers provided for debt consolidation were also compromised.

“No card expiry dates or CVC numbers were stolen.”

Gordon Legal said it was “deeply concerned” about the impact of the data breach on Latitude customers.

“We are investigating how a breach of this size could occur,” the firm said.

Walker-Munro said the kind of information hackers got access to was not unexpected, given core parts of Latitude’s business involved building a complete financial picture of potential borrowers.

On March 16, first announcing the attack, it said more than 330,000 personal records had been impacted.

Less than two weeks later it upgraded the damage to 14 million records, including 7.9 million Australian and New Zealand drivers licences, 53,000 passport numbers and a small number of monthly financial statements.

Australian Federal Police are investigating the crime.