Millions of Australian and New Zealand customers have had their records stolen in the attack on Latitude Financial announced a fortnight ago.
The data includes up to 7.9 million drivers licence numbers and 53,000 passport numbers.
The attack is the largest-known data breach on a financial institution in Australia.
Here's what we know about the Latitude hack so far.
What do we know about who has been hit by the cyber attack?
The consumer finance company announced on Monday:
- 7.9 million Australian and New Zealand drivers licence numbers have been stolen
- about 53,000 passport numbers were stolen
- less than 100 customers had a monthly financial statement stolen
An additional 6.1 million records dating back to "at least 2005" were also stolen. Of this, the company said approximately 5.7 million, or 94 per cent, were provided before 2013.
The hack is far worse than first thought
Latitude first announced it had been impacted by a cyber hack less than a fortnight ago — on March 16 —saying that personal data of almost 330,000 customers had been stolen.
On Monday it confirmed the number of people impacted by this data breach was in the millions.
What is the Latitude Financial CEO saying about it?
"We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days," chief executive officer Ahmed Fahour said in a statement.
"We apologise unreservedly."
Customers who choose to replace their stolen ID document will be reimbursed, the Melbourne-based company has said.
In an announcement to the ASX on Monday the company also said:
"We recognise that today's announcement will be a distressing development for many of our customers.
"We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation."
What does Latitude Financial advise if you suspect you're at risk?
"Be vigilant with all online communications and transactions," the non-bank lender said in its statement to the ASX on Monday.
It also added:
- Stay alert for phishing scams via phone, post or email
- Ensuring communications received are legitimate
- Not opening texts from unknown or suspicious numbers
- Changing passwords regularly with "strong" passwords, not re-suing passwords, and activating multi-factor authentications when available on any online accounts
- Latitude will not contact customers asking for passwords or sensitive information
When did this data hack happen?
The company first announced the hack less than a fortnight ago and said it believed the data of around 330,000 people had been accessed.
Latitude announced it had "detected unusual activity on its systems over the last few days that appears to be a sophisticated and malicious cyber attack".
It said the attack appeared to have originated from "a major vendor used by Latitude".
This resulted in the attacker obtaining Latitude employee login credentials before being stopped.
Those credentials were then used to steal personal information held by other service providers.
What is Latitude Financial doing about the security breach?
The attack is now the subject of an investigation by the Australian Federal Police.
It says it will "continue to work with the Australian Cyber Security Centre and our expert cyber security advisers."
Latitude Financial provides loans, insurance and credit cards with retailers, including David Jones, JB Hi-Fi, The Good Guys and Harvey Norman.
What is the government doing about the security breach?
"Latitude Financial is cooperating with the government in responding to this incident, and we expect the company to continue to swiftly provide the government with all information it needs," Minister for Cyber Security Clare O'Neil said in a statement.
"It remains our position that no customer should bear the cost of a data breach, and we are working with Latitude Financial to ensure that the customers affected by this attack are protected from immediate and future risks."
The federal government has also announced plans for a national cyber office to be established to lead emergency responses to cyber attacks.
In the wake of the Optus and Medibank hacks, the federal government said it would rewrite Australia's cyber laws to give the government more powers to intervene.
ABC/wires
Loading form...