Latitude 'sincerely' apologises to shareholders for massive cyberattack

Thursday, 27 April 2023

Latitude is an Australian lender with a large New Zealand lending business, including through the Gem by Latitude brand.

Latitude Financial chairman Michael Tilley has apologised “sincerely” to shareholders and borrowers for the massive cyber-failure that saw private information of 20% of the New Zealand population stolen.

Privacy watchdogs on both sides of the Tasman are investigating, but it is in Australia where privacy watchdogs have real teeth with fines of up to A$50 million (NZ$53.9m) available for serious failures by companies to keep customer data safe.

Speaking at the lender’s annual general meeting on Wednesday, Tilley told shareholders the company had been prevented from speaking freely to shareholders about the cyberattack because it feared inhibiting or influencing the Australian Police investigation into the crime.

In New Zealand, Kiwibank has put on hold its deal with Latitude, which provided personal loans to Kiwibank customers.

* Privacy Commission says Latitude cyber attackers got away with data on 20% of the population

The incident also includes passports, the number of which is still unknown.

* Latitude refuses to pay hackers' ransom demand

It’s not clear whether Kiwibank will continue to steer customers Latitude’s way.

Chief executive Steve Jurkovich said: “They've got such a significant issue on their hands, for us it's about we don't want to amplify any problems.

“We're in very constant contact with them, but that's a significant issue they're wrestling with so that's really the situation we're in.”

Latitude Financial shares are traded on the Australian ASX sharemarket. Investors seem unconcerned by the cyber breach, with Latitude’s share price rising since the cyberattack was revealed on March 16.

Kiwibank customers were among those whose data was stolen in the Latitude cyberattack.

Tilley said the attack came via a “third-party service provider”, which Australian media reported to be IT services company DXC Technology. DXC issued a public statement the day after the Latitude cyberattack, which said it was liaising with the Australian Cyber Security Centre over the Latitude attack.

But, Tilley said, Latitude accepted that “only it is responsible for protecting customer data, and that failure by large global vendors during this attack does not exonerate Latitude of that responsibility.”

Latitude had tested the company’s systems by hiring outside experts to run mock cyberattacks, he said.

It was too early to know how much the attack would cost the company, but Tilley said Latitude had substantial insurance cover that would help offset some of the direct costs.

“Beyond the one-off costs, the disruption to business as usual is still being assessed and is expected to adversely impact our 2023 growth trajectory and net profit.”

Latitude would not pay a ransom for the data to be returned, as that would only incentivise more cyber crime, Tilley said.

“We can’t undo what has happened, but we can take responsibility for supporting customers through this, and to take the appropriate steps to safeguard our business from an incident like this happening in the future.”

There were other “lowlights” for shareholders to digest, including that savings rates at households rose so sharply as a result of Covid fears, and then recession worries that households’ saving balances rose, so fewer needed to borrow to buy the things they needed.