Data leak
β Supply Chain
BleepingComputer / SecurityWeek / Security Boulevard
Primary Source βIncident Details
Attacker stole employee credentials and used them to access Latitude Financial’s data held by two service providers including DXC Technology. 14 million records affected across Australia and New Zealand: 7.9M driver license numbers, 53K passport numbers, 6.1M customer records (names, addresses, DOBs, phone numbers). AUD $76M remediation cost. Australian Privacy Act investigation launched. Latitude refused to pay ransom. Biggest data breach in Australian financial sector history.
Technical Details
- Initial Attack Vector
- CWE-522: Insufficiently Protected Credentials (stolen employee login credentials used to access third-party service providers)
- Vendor / Product
- Latitude Financial Services / DXC Technology (service provider)
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2023-03-16 Breach occurred
- 2023-03-16 Publicly disclosed
- 2023-03-30 Customers notified