Latitude Financial customers frustrated at lack of communication ...

Current and former customers of Latitude Financial are frustrated at the company's lack of communication and have questioned its data retention practices after the non-bank lender confirmed millions of its customers' personal records dating back to 2005 had been stolen in a cyber attack earlier this month.

Key points:Past and present Latitude Financial customers say they are frustrated at the company's lack of communication about their cyber attackCustomers have also questioned why Latitude held onto customer data for up to 18 yearsA cybersecurity expert says the Latitude hack shows there are significant security flaws when using third-party systems that need to be addressed

Latitude Financial disclosed on March 16 that more than 330,000 personal records had been impacted due to a cyber attack, but days later the company warned that the breach could widen.

In a statement released to the ASX on Monday, Latitude Financial confirmed that 7.9 million Australian and New Zealand drivers licences, 53,000 passport numbers and fewer than 100 monthly financial statements had been stolen in the attack.

Latitude also confirmed that 6.1 million customer records that were provided before 2013 were compromised in the hack — including some dating back to 2005.

It makes the Latitude Financial cyber attack the largest-known data breach on an Australian financial institution, although the company has not said exactly how many people have been affected by the breach.

But a lack of communication and a wealth of customer data hoarded away has customers past and present angry and frustrated with Latitude.

Glenn Johnston is one such customer who has been caught up in the data breach.

Glenn Johnston has been a Latitude customer for more than a decade.(ABC News: Daniel Irvine)

He first became a customer of Latitude Financial more than 10 years ago, when the company was owned by GE Capital.

Under the brand GE Money, Mr Johnston used its buy now, pay later services to purchase furniture and electronics.

His data was transferred to Latitude Financial when it was established in 2015, after GE Capital sold its business in Australia and New Zealand to a consortium led by Deutsche Bank, KKR and Varde Partners.

Mr Johnston said he has only received limited communications from Latitude about their data breach.

"We haven't heard anything other than a very generic initial email. And then we hear through further news stories, that has now gone from potentially 300,000 customers to in the millions of customers.

"What frustrates me though is, we've had multiple breaches over the last 12 months, you would think companies would learn from that," he said.

"So both Optus and Medibank, whilst initially they stumbled, they managed to set up systems and processes to help the affected customers.

"We're getting none of that from Latitude."

Amanda-Jo Birchall is a former customer of GE Money and Latitude, and shares Mr Johnston's frustration that the company has not contacted her about the breach.

She first signed up to a GE Money credit card to finance a trip to Tokyo around 2015, and stopped being a customer in 2019 after paying off her debts.

Ms Birchall has had the misfortune of being involved in another data breach with a company she was a previous customer of, but said there was a substantial difference in communication strategies.

"I got an email [from this company] saying this had occurred and it's unlikely we are affected," she said.

"But I have not heard anything from Latitude at all."

Latitude Financial has repeatedly declined interview requests with the ABC since it first announced the cyber attack nearly two weeks ago, and has instead shared incremental updates through the ASX.

Cyber security expert at the University of New South Wales, Professor Richard Buckland, said Latitude's ongoing silence was not a positive sign.

"Radio silence isn't good," Professor Buckland said.

"I suspect they're concerned about their reputation and share price and lawsuits, and they're all reasonable things to be concerned about.

"But I think at the moment, the top priority really should be looking after the citizens who have been impacted by this."

Professor Richard Buckland says Latitude Financial's radio silence "isn't good".(ABC News: Elena De Bruijne)14 million records for 3 million customers

Apart from being frustrated at a lack of communication from Latitude, Mr Johnston said he was also concerned about his data being held by the company for several years.

"Why do they need to have the data that's more than 10 years old?" Mr Johnston said.

"My being a customer goes back more than 10 years, and it was originally transferred I guess without my knowledge and permission.

"We just got transferred over with the sale of GE money into Latitude. I had no say over what to do with my information."

Latitude Financial provides short-term loans, credit and travel cards, and buy now, pay later services.(ABC News: James Maasdorp)

Ms Birchall is also concerned about the company holding onto her data, even though she has not been a customer in years.

"They took over the company that my credit card was with in 2016, from the looks of the records," she said.

"So from 2016, they've had this data, this information of mine. That's a long time.

"I haven't been a customer for quite some time and yet their breach affects data from way back.

"That's pretty much all the information we need for ID theft isn't it?"

Amanda-Jo Birchall was a Latitude customer for four years but says she has not been contacted about the data breach.(ABC News: Daniel Irvine)

Under the Australian Privacy Principles (APPs), guidelines used by the Office of the Australian Information Commissioner (OAIC), Principle 11.2. states that "entities must also take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs".

"This requirement does not apply where the personal information is contained in a 'Commonwealth record' or where the entity is required by law or a court/tribunal order to retain the personal information."

The laws around financial intuition data retention are murky, with several factors overlapping across different jurisdictions and industries.

The ABC does not suggest Latitude Financial has infringed on or breached this principle.

But Rob Nicholls, an associate professor in regulation and governance at UNSW, said properly destroying customer data can be a costly exercise, but failing to do so raises questions around corporate and data governance.

"I think part of the problem is that it's cheaper to keep data than to cleanse it properly," he said.

"The other issue is that there is sometimes pressure from sales teams to keep data as a source of prospects.

"In Latitude's case, good corporate governance and good data governance should have raised a question.

"Why are we holding 14 million records when we only have 3 million customers?

"The fact that this basic question was not asked, and that the data of many former and prospective customers was kept, indicates a significant governance deficit."

Rob Nicholls said Latitude's cyber attack raises serious questions about corporate governance.(ABC News: John Gunn)Similarities between major cyber hacks

Professor Buckland said Latitude Financial's disclosure of a third-party system being the hack's gateway has parallels to Medibank's cyber attack last year, which impacted 9.7 million customers.

"Medibank has recently released some information about how they were hacked, and it seems that it was a credential, an internal Medibank credential that was stolen through a third-party provider," Professor Buckland said.

"This seems alarmingly similar to the way that Latitude is so far indicating that it was breached."

In its half-yearly report, Medibank said its cyber attack began when a criminal accessed its systems "using a stolen Medibank username and password used by a third-party IT service provider".

Medibank said this was then used to access its network and allowed the criminal to obtain additional usernames and passwords to access several Medibank systems.

Medibank has not disclosed who the responsible third-party IT service provider in question was, but confirmed to the ABC they still use their services.

Millions of Medibank customers had their personal data stolen when the private health insurer was hacked last year.(AP Photo: Rick Rycroft/File)

Comparatively, Latitude told the ASX the attack started from a major vendor used by the company, which the ABC understands was a back-end infrastructure provider.

Latitude said the hackers then obtained the login detail of a Latitude employee, which was then used to steal customer records from two of Latitude's service providers.

Latitude has not clarified what it means by service providers.

Professor Buckland said the similarities between the two cyber hacks show there are cracks in security procedures that need to be urgently corrected.

"I think what we're seeing here is there is a pattern that companies aren't properly securing their businesses no matter what their external assurances are, and we're still seeing the same mistakes happening even after big public disclosures of the consequences of getting it wrong.

"So it looks like maybe this is time for government intervention."