Share this article on:
Latitude Financial has released a statement saying it will not pay a ransom following falling victim to one of Australia’s largest data breaches.
The company has confirmed it has received a ransom demand but said that paying is not in the best interest of its customers.
“We will not reward criminal behaviour, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen,” the company said in a statement.
“In line with advice from cyber crime experts, Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks.”
The attackers have shared details of the data that was exfiltrated, and Latitude has said it matches up with what it eventually disclosed last month.
Latitude first revealed that it had fallen victim to a cyber attack on 16 March, though it originally believed that only 225,000 customer records were affected. However, on 27 March, the company revealed that the data breach was much larger, with around 14 million individual records compromised.
The affected data included approximately 7.9 million driver’s licence numbers, 53,000 passport numbers, and the names, addresses, phone numbers, and dates of birth of approximately 6.1 million customers.
“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologise unreservedly,” Ahmed Fahour, Latitude Financial’s chief executive, said at the time.
Latitude is currently restoring its business operations, though it is experiencing “longer than usual wait times” on its phone support lines and online support portals.
The Australian Federal Police are investigating the incident, and Latitude is working with the Australian Cyber Security Centre to co-ordinate its response.
“Latitude will not pay a ransom to criminals,” Latitude Financial CEO Bob Belan said as a part of today’s statement. “Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed, and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.
“Our priority remains on contacting every customer whose personal information was compromised and to support them through this process.
“In parallel, our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations.
“I apologise personally and sincerely for the distress that this cyber attack has caused, and I hope that in time, we are able to earn back the confidence of our customers.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.