Latitude Monetary has blamed a provider for leaking creds that brought on huge PII leak Australian outfit Latitude Monetary has taken itself offline, and even stopped serving prospects, whereas it tries to scrub up an assault on its techniques.
The listed firm final week known as a halt to commerce in its shares and filed [PDF] information that it had “detected uncommon exercise on its techniques over the previous couple of days that seems to be a complicated and malicious cyber-attack.”
Intriguingly, the corporate informed buyers the assault “originated from a serious vendor utilized by Latitude.” Extra on that later.
Latitude mentioned the assault on the seller uncovered credentials of its employees, which had been used to go browsing to 2 different service suppliers it makes use of for matter akin to identification verification. These creds had been used to entry over 100,000 identification paperwork from one service supplier and 225,000-plus buyer information from the opposite. Information accessed included particulars of drivers licenses, passports, and medical insurance playing cards. Australia requires monetary providers operations to safe a number of types of identification earlier than opening accounts, so it isn’t uncommon for Latitude to have held this knowledge. New Zealand prospects had been additionally impacted.
In a Monday filing [PDF] Latitude revealed the assault is ongoing, so it has “taken our platforms offline and are unable to service our prospects and service provider companions.”
The corporate mentioned it hopes to revive capabilities progressively in coming days.
But it surely additionally warned that extra prospects – previous and current – ought to count on their data has leaked. Even candidates for the corporate’s merchandise had been suggested their knowledge might have gone astray.
Taking its providers offline means main Australian retailers – together with Apple – can’t entry Latitude’s client credit score merchandise that they provide as a substitute fee mechanism.
Latitude has gone by way of the same old strategy of apologising, participating investigators, and hiring third half providers to guard prospects’ identities.
But it surely hasn’t recognized that “main vendor” that was the supply its troubles.
Appreciable hypothesis has reached The Register relating to the identification of that main vendor. Was it a service supplier? A telco? A software program or {hardware} vendor? Or perhaps a cloud?
In any of these situations, many different prospects are in danger. The Register is due to this fact watching this one intently because the identification of the main vendor is at the least as necessary because the troubles Latitude and its prospects are dealing with. ®
