A third-of-million Latitude customers just had their data stolen
Personal finance company Latitude Financial has announced a serious breach involving more than 300,000 current and former customers. The company has said it suffered “what appears to be a sophisticated and malicious cyberattack”.
Latitude, which offers loans and buy now, pay later deals, has 2.8 million current customers. Since the company’s announcement, the news has worsened: four days after its initial mid-March statement, Latitude said it was “likely to uncover more stolen information”. Most of the stolen data is believed to be copies of driving licences and their numbers, but about 5 percent is in the form of passports and Medicare cards.
The attack is particularly concerning because the data stolen may allow criminals to take out loans in their victims’ names. Reports of attempts to scam customers via text message have already emerged, and some members of the public have struggled to contact Latitude’s representatives, with the company’s call centre going offline. The news comes as the Office of the Australian Information Commissioner (OAIC), releases figures showing 497 data breaches in the second half of 2022, revealing a 67 per cent rise in the number of attacks from the first half of the year. Australia’s breach nightmare is far from over, and is likely to grow even more troublesome. Every organisation, regardless of size or sector, should immediately look to their security posture.
Sydney’s Raging Waters caught in 1tb global theme park hack
Spanish theme park operator Parques Reunidos has shut down systems and blocked remote access connections and passwords after “unauthorised external access to our computer systems”. Hackers claim to have stolen 1TB of data from the company, which runs 60 amusement parks, zoos and entertainment centres across Europe, Australia and the United States, including Sydney’s Raging Waters park.
A ransomware group, Bian Lian, has claimed responsibility for the incident. The gang say on their Tor site that they have stolen employee, partner and client data, plus legal and financial information. A decryptor has already been released for Mian Lim’s malware, but customers of Raging Waters, which was acquired by Parques Reunidos (Reunited Parks) in 2018, could have their personal data exposed, sold or used in scams.
Sophisticated criminal groups are using increasingly diverse tactics, including multi-pronged attacks that combine ransom with extortion and cross-platform malware, while Ransomware-as-a-Service (RaaS) sees the service offered to other criminals.
IPH shares tumble after security breach
Australian intellectual property (IP) services provider IPH has reported a data breach. The incident has affected its document management systems, with administrative data and some client documents and correspondence compromised. Its shares dropped 12% after the announcement.
IPH manages intellectual property like patents, copyrights and trade secrets for clients around the world. It incorporates companies including Spruson & Ferguson and Griffith Hack, which have also been affected by the incident. The group detected “unauthorised access to a portion of its IT environment” on March 16, and is working with external cybersecurity experts on a “forensic investigation… we are advised that this investigation may take some time to complete”.
While personal data is often the main concern after a cyberattack, this breach shines a light on the less publicised area of IP theft, which is a growing risk, and one increasingly favoured by nation state actors.
AI voice scammers are claiming their first victims
Scammers are using audio pulled from sources such as YouTube to impersonate victims’ relatives, often claiming they are in jail and need immediate loans. New AI tools allow criminals to generate realistic voices from snippets of audio.
In one recent incident, scammers are believed to have used a YouTube snowboarding video to sample a Canadian man’s voice. They then called his parents, claiming to be a lawyer and using the audio to suggest that their son was in jail and needed a $22,000 payment. The man said the audio was “close enough for my parents to truly believe they did speak with me”.
AI is already employed by scammers writing phishing messages, but AI-generated audio is a new threat. It’s also been revealed this month that AI tools could help scammers bypass the Australian Taxation Office’s verification controls. However, AI isn’t just bad news in cyber – it also promises better tools for screening, detection and response. But as its sophistication grows, criminals will inevitably jump to find whatever edge they can. Fortunately, a few simple measures can greatly reduce your risk of falling for a scam. Good cyber hygiene, including exercising caution with any request for personal details or cash, is a must.
Good Guys’ customer data exposed after third-party breach
Yet another data breach has hit an Australian company in the last month, as electronics retailer the Good Guys announced an incident at its former supplier, My Rewards. Personally identifiable information, including names, email addresses and phone numbers, is likely to have been exposed online.
The data was compromised after unauthorised access in March 2021, with data such as passwords and dates of birth potentially also affected. The Good Guys no longer partners with My Rewards, meaning all information is historic and relates to a closed loyalty program.
While the Good Guys’ own systems have not been affected by the incident, it’s a reminder that vulnerabilities in partner organisations and supply chains can hit your organisation’s customers – and your reputation – hard. A chain is only as strong as its weakest link, and organisations should be careful who they partner with, and ensure that they only share as much data as is necessary with them.