Latitude Financial, a New Zealand-based financial services company, has suffered a major cyberattack resulting in the theft of private information of 20% of the New Zealand population.
The company has apologized to shareholders and borrowers for the breach and stated that it is too early to know the full cost of the attack.
However, the company has confirmed that it has substantial insurance coverage that will help offset some of the direct costs.
“Beyond the one-off costs, the disruption to business as usual is still being assessed and is expected to adversely impact our 2023 growth trajectory and net profit,” said Latitude Financial chairman Michael Tilley.
Privacy watchdogs on both sides of the Tasman are investigating the attack. In Australia, privacy watchdogs have real teeth with fines of up to A$50 million (NZ$53.9m) available for serious failures by companies to keep customer data safe. The company has been prevented from speaking freely to shareholders about the cyberattack because it feared inhibiting or influencing the Australian Police investigation into the crime.
Kiwibank, a New Zealand-based bank, has put on hold its deal with Latitude, which provided personal loans to Kiwibank customers. The bank's CEO, Steve Jurkovich, said that the company is in constant contact with Latitude but has no plans to amplify any problems.
“They've got such a significant issue on their hands, for us it's about we don't want to amplify any problems," he said. “We're in very constant contact with them, but that's a significant issue they're wrestling with so that's really the situation we're in.”
Latitude Financial's share price has risen since the cyberattack was revealed on March 16, with investors seemingly unconcerned by the breach.
The attack was reportedly carried out via a “third-party service provider,” which Australian media reported to be IT services company DXC Technology. DXC issued a public statement the day after the Latitude cyberattack, which said it was liaising with the Australian Cyber Security Centre over the Latitude attack.
However, Latitude has stated that it accepts full responsibility for protecting customer data and that failure by large global vendors during this attack does not exonerate Latitude of that responsibility.
“We can’t undo what has happened, but we can take responsibility for supporting customers through this, and to take the appropriate steps to safeguard our business from an incident like this happening in the future,” said Tilley.
Latitude has confirmed that it will not pay a ransom for the data to be returned, as that would only incentivize more cybercrime.
In addition to the cyberattack, Latitude Financial shareholders were also informed that savings rates at households rose sharply due to Covid fears, leading to a recession, which resulted in fewer households needing to borrow to buy the things they needed.