The situation for the Latitude hack has become worse with the owners forced to take the site offline.
The non-bank lender confirmed that Medicare numbers and "copies of passports or passport numbers" were included in the theft of personal information affecting approximately 333,000 customers and applicants.
[...] Latitude said of the stolen information, approximately 96 per cent was "copies of drivers' licences or driver licence numbers", "less than 4 per cent was copies of passports or passport numbers" and "less than 1 per cent was Medicare numbers".
"Because the attack remains active, we have taken our platforms offline and are unable to service our customers and merchant partners," the statement said.
[...] But frustrated customers have hit out at Latitude's handling of the hacking describing it as "pathetic" and "disgusting".
"How long will it take to find out if I am affected? If my details have been stolen I'd like to know now. Identity theft and/or financial ruin due to your lack of security and saving items such as my drivers licence is not okay," one woman wrote on social media.
"We need more information asap," one woman pleaded. "Do we need to change our licences, change our bank accounts? As this has been happening lots what have you done with your cyber security? As a ex Security officer this is a major huge breach and should not happen. Someone dropped the ball big time."
Previously it had only been confirmed that drivers' licences were taken.
(Score: 4, Insightful) by Thexalon on Friday March 24 2023, @04:23PM (5 children)
There is no recorded instance of a large business being erased from existence for a data breach. The worst that could possibly happen to those responsible for the failures is that they get fired and have to find a new job, although more likely is that they find a junior engineer who misconfigured something (at the direction of their superiors, but the people who are scapegoating that junior engineer will leave that part out) to fire.
The financial incentives on data security are all pointing in the wrong direction: Collect as much as you possibly can, swear up and down that it's completely secure, ignore its actual security. GDPR had its heart in the right place, but until there's an ongoing financial cost to having data about people it's going to keep on getting collected and keep on getting leaked in data breaches.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Gaaark on Friday March 24 2023, @05:05PM (1 child)
It appears to be running on MS Azure.
https://sitereport.netcraft.com/?url=https://www.latitudefinancial.com.au [netcraft.com]
There's your 'misconfiguration', methinks.
Some top execs need to be fired, and mega-fines should be brought forth, not just slap-on-the-wrist fines. Reality will be watered down, though.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Informative) by Thexalon on Friday March 24 2023, @06:11PM
Exactly my point: There probably won't be any fines at all about this. Just like there weren't for Equifax, or any of the other major data breaches over the years. The regulations just don't care one bit, executives respond to that incentive, and now we have super-insecure data floating all over the place strangely thought of as important and reliable.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Insightful) by guest reader on Friday March 24 2023, @09:26PM
You have good point about GDPR. GDPR is still new. GDPR's requirements are not yet fully implemented but there is significant pressure (from my experience). This includes for example encryptions of customer data.
A business could be erased for a data breach if it is in EU and does not comply with GDPR. From Art. 58 GDPR Powers [gdpr-info.eu] which is referenced from GDPR Fines / Penalties [gdpr-info.eu]:
GDPR is good for the customers. GDPR is now also good business for software companies since large companies in EU simply want to be compliant with GDPR as soon as possible in order to continue their business and make millions of EUR every day.
(Score: 1, Informative) by Anonymous Coward on Saturday March 25 2023, @06:35AM (1 child)
Australia is working on improving laws to make it more expensive for businesses when data breaches happen. It can't come soon enough.
Right now the Commonwealth Bank has changed its policy to require all customers to submit their driver's licence or other photo identification to be scanned and retained forever.
(Score: 0) by Anonymous Coward on Monday March 27 2023, @06:41AM
It just got worse: https://www.news.com.au/finance/business/other-industries/latitude-finance-hacking-far-worse-with-14m-customers-details-stolen/news-story/7dcb60dbad0177d396120c598dee2bdb [news.com.au]
How is this not front page news?