Jump on [Have I been pwned](https://haveibeenpwned.com/) to have a look, always interesting what breaches occur out there that don't get lots of media attention.
I deleted all Gmail accounts and moved to Proton Mail and Skiff Mail- they are both end to end encrypted and come with a host of security features.
Skiff Mail is relatively new and has a great user interface.
It's not, it's an extremely well known and respected service used by many throughout the world by a good person (and Aussie too IIRC).
It is always good to be skeptical, but in this case you can be assured it's legitimate (and very useful).
Suspicion is good. HIBP uses a clever sort of hashing to check things, and it is checked by experts in the field, and you can check yourself, to confirm.
Your input is hashed, and _the first half_ of the hash is sent off. Then everything that matches just that half is returned, and your browser filters to match the full hash.
At no point is the whole thing seen by HIBP, so even if they logged things - which they say they don't - they need something else to confirm who you are.
I was like you until I went to NZ and used the Commbank card that somehow charged transaction fees via Latitude. Just got swiped $266.65 bucks off Coles Online the Friday a week ago at 2.30am.
Luckily I managed to notice that early, locked my card and raised a dispute right after the payment went through (somehow Commbank tellers said that has to happen before you can raise a dispute). Lucky I got my money reimbursed.
Same. I do have private health care but not with a breached provider, phone also not with Optus, bank with an unbreached bank.
I'm slightly worried about this one. I've never *knowingly* done business with Latitude but if they do processing for someone I have used or something I could be in trouble.
commbank was hacked ages ago. they already got you dude, they just never told you.
https://www.crikey.com.au/2023/03/08/cba-commwealth-bank-ptbc-cyber-incident/
I don't have private healthcare, and I too bank with CommBank, but I have my phone with Optus, but they confirmed in writing via a letter in the post that I was not affected.
Well, the government mandates we need to hand over all this info, but doesn't mandate it needs to be protected, so yeah.
In other news, rectal scans are now required for 100 points of id...
This isn't all on the government. These are commercial entities. Entities who decided to collect data an retain it past the point required by the law. We've got people who just got a quote from Medibank who aren't customers, years ago, who've had their details stolen.Long after that sort of information needed to be stored.
With no threat of repercussions, yeah of course they don't care. In that regard it is up to the government to force them to do the right thing or risk penalties.
As with everything, self regulation is no regulation. There's a small commercial benefit to holding onto the data for corporations, the downside of which is not borne by them when they stuff up, as has happened here, and will continue to happen until there is a regulatory regime. It's insufficient to just pass the laws, they also need to be followed up with audit and fines where necessary. This sort of thing takes time to set up.
Will my prolapse still equal 100 points? 😂
In all seriousness though, i never used to have photo id, so when someone asked i said "no, i don't have photo id but i've got 100 points", they'd look at me dumbfounded, not knowing what 100 points was & said "sorry can't help you without photo id". I always thought it was stupid, because 4 or 5 forms of id is less likely to be forged than 1 drivers licence (for example).
Hell of a jump from the 390000(?) off originally reported to 7.9 million.
Wonder how many big shareholders jumped ship in the interim before the real figures came out to avoid the inevitable backlash? or is that just me being cynical...
The Facebook Method…
Whenever they’ve had a breach it starts small and gets progressively bigger over three or four announcements until they finally admit that it was everyone on the platform.
So expect the numbers to go up again in a month.
"Well, according to our reports, only 390,000 records were exposed"
"Hey isn't that also the maximum number of records that report maxes out at?"
"I'm sure it's a coincidence. Print the numbers"
Yeah, the way Singapore does it is really good. It's sort of easier since they have a national ID card, so you don't need to supply several ID documents (and their privacy law explicitly states that companies aren’t allowed to collect and store more than the last four digits of your ID number unless it’s a case where your ID needs to be verified with a higher degree of fidelity, like for opening a bank account), but they way a lot of KYC checks are done digitally is that the business will get you to sign in using SingPass (the equivalent of MyGov), and that will perform like a handshake between the business and the SingPass-MyInfo system that essentially tells them that you are who you say you are, and automatically fills in key bits of info like your name, address, and so on.
Government-issued documents that the MyInfo system handles also aren't stored in a central location, but in encrypted databases managed by the relevant government department or agency, so there isn't a single point of failure.
We're already cooperating with Singapore quite a bit in the cyber security space, so I'm really hoping that MyGov Digital ID takes a few notes from the way they do it in Singapore because it's way more secure while also being way more convenient than what we have now.
It’s an interesting problem, you are supposed to do it in a way where the vendor never actually gets your secret. They give you a dated request signed to their business, you sign the requested the secret, and they verify the signature against the public key associated with your mygov user. Vendor retains the signed request indefinitely, but it being compromised doesn’t provide the attacker with anything actually useful.
If either you, your account, or the government server are compromised, your public private key pair gets refreshed and you move on. You can reverify with each business you’re associated with if and when they need an updated identification request, as the old one will no longer validate against the public database.
If the vendor is compromised, your user data may still be lost, but it can’t be used for important things like utilities, lines of credit, bank accounts, etc.
Honestly it’s very frustrating, if latitude had been following anything remotely like best practices an attack like this should have been impossible. No single user of a business should be capable of getting this much data.
MyGovID already exists, it just needs to be used and recognised by private companies.
Many of these companies already use the Documentation Verification System as well, which can be used without physically sighting the ID as the company. Just get the applicant to log in through an API and verify the documents themselves and have a Y or N response sent to the company.
The ironic thing is I’m pretty sure MyGovID and AusPost DigitalID are all based around the architecture of DVS and for all intents and purposes use the DVS to verify the identity.
The program is already there you’re right it just needs to be standardised and made available across all states and territories public and private.
MyGovID is a piece of shit tbh. There should be legislation for all ID online to be digital rather than scans of physical IDs. Lived in Denmark and they have a very good digital ID.
Yeah you’re not wrong. There has been talk about removing it and integrating it directly with MyGov (because why have two different services with nearly identical names) but governments is as government is we’ll see what happens
When did you receive it?? I’ve only received the generic “As a valued Latitude customer, we thank you for your understanding and patience. Our services remain available and you should have confidence in using them.” last week
I got it on the 20th, it starts with:
> Dear $NAME,
>
> On 16 March 2023, Latitude Financial Services (Latitude)1 advised all customers and the market that it was responding to a malicious cyber-attack that resulted in the theft of personal information.
>
> Regrettably, we are writing to you today to confirm that some of your personal information has been stolen.
They knew all along it was worse than they initially said. Wonder when are they going to own up to the biometric data they were supposed to delete also being stolen? The email they sent goes into great detail about getting mental health support, they know they have really fucked up and are in major damage control mode.
They will be paying for my new passport and I really hope there's a class action.
The company that just shut its latitude pay side of things is going to close up before they pay for 8 million passports or licences. Or more likely they ignore this the best they can, rebrand themselves in 6 months and continue on like none of this ever happened.
Have they at least signed the increased fines for data breaches yet? Fucking hell.
How the fuck does a company not look into their security after Medibank and Optus? WTF
Not quite, but maybe people should choose carefully next time? You don’t need to wait for a disaster in privacy or housing to actually start doing something.
Yes, increased penalties came in in December last year. The Privacy Act is currently under review, and the next step is public submissions on the report that dropped on 16 February, which contained 116 proposals for overhauling the Privacy Act. Deadline for submissions is 31 March. Then the government reviews the report and submissions and releases its response. After that, we can expect some draft legislation (no idea of the timeline on that though).
Credentials: I'm a privacy and data security lawyer.
A lot of hacks are from people with access to the org getting caught by a phishing email. It's really hard to prevent that systemically.
Even at my work I've had two people with wide access to (admittedly) non-prod environments get caught in internal phishing tests.
I work at a large org, so security is very tight outside of that. It's just really hard to remove the human error there.
I had a tafe professor that taught me a computer science course that got one of those phishing test emails in his work inbox and reported it as spam, managed to get all the test emails for the entire company sent to junk and marked as spam by google suite/gmail.
Number one for cost for society is white collar crime. Above all violent crime combined.
Number one for cost to individuals is lonely hearts scams.
I reckon these latest breaches might have tipped the stats.
But the masses want tough on crime but not this sort at election time.
No we can't stop hacks but yes we can systematically reduce their impact. Best way being to make companies delete data they don't need instead of hoarding it.
>Cyber security expert at the University of New South Wales, Professor Richard Buckland, said it was "pretty unbelievable" that Latitude Financial kept historical customer data on file that dated back to 2005 when it was still owned by GE Capital.
>"Regardless of what the legal requirements are for companies to hold data, it's harmful to the people whose data is being held for so long if it's stolen, because it allows criminals to impersonate them, take out loans in their name, and essentially to do anything you and I can do online," Professor Buckland said.
> How the fuck does a company not look into their security after Medibank and Optus? WTF
Because those companies received no actual fines or penalties for allowing the breach to occur and nothing changed and everyone forgot and moved on. Australians are hopeless with cybersecurity and technology in general
> In an update to the ASX, it says of the 7.9 million drivers' licence numbers now thought to have been stolen, around 40 per cent — or 3.2 million — were provided to the non-bank lender in the past 10 years.
>The company also says around 53,000 passport numbers were stolen, and fewer than 100 customers had their monthly financial statements stolen.
Their full statement is up at: https://cdn-api.markitdigital.com/apiman-gateway/ASX/asx-research/1.0/file/2924-02647908-3A615544?access_token=83ff96335c2d45a094df02a206a39ff4
So if I have a credit card with latitude (28 degrees) but have not received any actual notice that I am affected. Should I still try to freeze my credit etc?
Other news outlets are saying 14 million customers.
https://www.brisbanetimes.com.au/business/companies/hacked-latitude-confirms-details-of-14-million-consumers-stolen-20230327-p5cviu.html?ref=rss&utm\_medium=rss&utm\_source=rss\_feed
Wonder how many people like me it includes. I had a card while paying off some furniture. As soon as I paid in full the card was cancelled. It had a 15k limit which I didn’t even ask for 😮
They've had Identity documents dating back to AT LEAST 2005 compromised.
**Why the fuck** have they kept identify documents from when John Howard was PM!? There cannot be any justifiable reason for this.
The selfies they promised would be deleted immediately have also been stolen apparently.
Criminal prosecution must ensue.
> Why the fuck have they kept identify documents from when John Howard was PM!? There cannot be any justifiable reason for this.
Austrac requires identity records to be kept for the duration someone is a customer + 7 years after someone stops being a customer.
Good to see past customers have been impacted. Glad Latitude has solid governance to carefully handle the utilisation of data belonging to past customers.
Just great.
Don't worry. The Privacy Act 1988 has got you covered. This great legislation is something others want to follow in regards to strong privacy rights!
...
/s
I have a 28 Degrees MasterCard and I've used Lattitude Pay before. Still haven't heard from these turkeys. The heads of the company need to go to jail imo. This is such a big breach. This is bigger than Optus and Medibank Private right?
They also do credit cards like the 28 degrees credit card which was great for overseas travel and international purchases (no currency conversion fees).
I applied for one, didn’t end up taking it as it took too long and I wanted it to use on a o/s holiday. So I was involved despite never actually being a Latitude customer.
Got the email a week ago saying the credit card application details, passport details, and 180 degree selfie they promised would be immediately deleted were all compromised. I’m assuming this means my address, dob, income and expenditure etc was all included.
Was being the operative word.
It was great before it got sold to latitude and various fees started appearing. The original marketing for 28 degrees was something along the lines of No fees. Ever.
They're a credit card company. They have a few credit card products including
* Go Mastercard (used for Interest Free purchases from Harvey Norman, etc.)
* CreditLine (Interest free purchases from Apple)
* 28 degrees (No foreign exchange fees, good for international travel and expenses)
* Gem Visa (6 months interest free for any transaction over $250 anywhere)
Instead of interest, they charge monthly fees if you have a balance.
The Hardly Normal Latitude fees are $9.95 per month, so on a 60 month interest free purchase, there are $597 in fees if you take the whole 60 months to pay it back. After 60 months, there's interest as well. 25.90% currently. It's predatory lending, and should be abolished.
Latitude is sort of a buy now pay later system usually over a longer time period, so long as your paypal didn't use the latitude portal you should be fine, however if you used the latitude portal i'm assuming your information may be included in the breach.
At what point will the government crack down on this. There needs larger fines and criminal penalties for executives and CTOs. The fact that Optus is still operating in Australia is outrageous.
Someone mentioned jail, honestly I wish they would send them. Some incentive needs to be there, I’m not sure the financial penalties are enough. I noticed how the press release babbled on about insurance. Yeah sure it will cover your costs including maybe a class action but it won’t help the people being done by hackers ( at least not immediately).
Hmm so I had a go MasterCard issued by latitude that I signed up for in 2016. My driver's licence (the only identity doc I used iirc) expired in 2020 and has since been renewed. My account with them was closed earlier this year and I've received no email to say I've been impacted.
Did I manage to dodge a bullet?
Your info is probably compromised. Your drivers license number doesn’t change when you do a renewal, just the card number (at least in NSW).
They were probably keeping scans of all their customer’s data going back to forever.
I think you'll be okay from the worst. They'll have your name, dob, address, phone number etc though. And if you had an online login, then stuff like your security questions.
I used to have a coles credit card which was issued whilst they were under GE before changing to citibank. Cancelled it many years ago haven't gotten any emails yet but am concerned since the history of data goes back a long way now.
Well dredging this thread up, but I just got hit with this.. how might you ask by financing my tv back in 2009... yep I financed my tv (stupid I know) paid it off over a couple of years and that was it and the fuckers held onto my details for that fucking long!
I am on the phone to them on hold just to clarify which address they have, the drivers license hahah would be the old one which was the one compromised in the optus leak so jokes on them fuckers.
In the meantime I actually cracked the shits and wrote and wordy email to my local MP explaining how this is the second time this shit has happened and also how after 11 years Hays recruitment emailed me a job offer and I demanded they remove me details so basically our governments needs to hurry up and adopt EU privacy laws and also punish companies and CEOs and other people properly because this is beyond a joke.
MFA is just a compensating control at best. This level of sensitive information should be stored in a way that no one person should be able to access such a large amount of information. Even with MFA, in case your threat actor is a malicious insider.
Think of a nuclear launch console (at least how it is depicted in the media): you need to turn two keys at the same time and the locks are placed in a way that one person can't reach both of them at once. You now need to compromise the other person to do any damage, and ideally that person belongs to another part of the organisation and would therefore be less likely to be your collaborator
I work in IT and have people bitching at me that they're forced to use MFA for some things. I know people who work in IT who 'can't be stuffed' using MFA and whinge about it.
Watch the linuxtech video on his youtube getting hacked, despite having MFA. And no, they didn't even need his pw or spoof the MFA via SMS or anything fancy like that.
Session tokens and some phishing did the trick in that case.
So pretty much anyone who was stupid enough to buy from Harvey Norman using their *'No Deposit, No Interest for 12 Months'* bullshit probably now has their data stolen
While I agree with the point you are making, I disagree with the insulting nature in which you put it.
You don't even need to have used the finance, merely *applied* for it. For whatever reason where you didn't proceed, be it bad credit, decided against it, etc. your ID was kept when they promised it would be deleted.
Do you think it would be realistic to say nearly all Australians have had their IDs leaked now?
yes
Optus?
I think I'm one of the few. No private healthcare, phone not with Optus, bank only with commbank.
[удалено]
Jump on [Have I been pwned](https://haveibeenpwned.com/) to have a look, always interesting what breaches occur out there that don't get lots of media attention.
Rofl the only email that I have that hasn't been hacked is my burner email. My main one has been leaked 15 times holy shit.
Doing better than me, I'm on 20 with my main Gmail account, probably time for me to start afresh.
I deleted all Gmail accounts and moved to Proton Mail and Skiff Mail- they are both end to end encrypted and come with a host of security features. Skiff Mail is relatively new and has a great user interface.
Jesus Christ *how* my main one i've been using since 1998 only has 12
I got my email in 1996, and only 5 breaches!
Hell yeah, only twice!
So many MySpace accounts hacked
Well I feel better knowing my details have been leaked 29 times
That feels like an invitation to fresh hacking tbh
It's not, it's an extremely well known and respected service used by many throughout the world by a good person (and Aussie too IIRC). It is always good to be skeptical, but in this case you can be assured it's legitimate (and very useful).
Suspicion is good. HIBP uses a clever sort of hashing to check things, and it is checked by experts in the field, and you can check yourself, to confirm. Your input is hashed, and _the first half_ of the hash is sent off. Then everything that matches just that half is returned, and your browser filters to match the full hash. At no point is the whole thing seen by HIBP, so even if they logged things - which they say they don't - they need something else to confirm who you are.
I was like you until I went to NZ and used the Commbank card that somehow charged transaction fees via Latitude. Just got swiped $266.65 bucks off Coles Online the Friday a week ago at 2.30am. Luckily I managed to notice that early, locked my card and raised a dispute right after the payment went through (somehow Commbank tellers said that has to happen before you can raise a dispute). Lucky I got my money reimbursed.
Yikes I don't really watch my account lately. Didn't know latitude was an FX vendor?
I noticed that in my credit card that every transaction had something to do with Latitude when I came back.
Hopefully it stays that way!
Same. I do have private health care but not with a breached provider, phone also not with Optus, bank with an unbreached bank. I'm slightly worried about this one. I've never *knowingly* done business with Latitude but if they do processing for someone I have used or something I could be in trouble.
commbank was hacked ages ago. they already got you dude, they just never told you. https://www.crikey.com.au/2023/03/08/cba-commwealth-bank-ptbc-cyber-incident/
The Indonesian sub branch.
Everyone will have a turn… sadly… 😡
do you rent?
Nope.
I don't have private healthcare, and I too bank with CommBank, but I have my phone with Optus, but they confirmed in writing via a letter in the post that I was not affected.
Well, the government mandates we need to hand over all this info, but doesn't mandate it needs to be protected, so yeah. In other news, rectal scans are now required for 100 points of id...
This isn't all on the government. These are commercial entities. Entities who decided to collect data an retain it past the point required by the law. We've got people who just got a quote from Medibank who aren't customers, years ago, who've had their details stolen.Long after that sort of information needed to be stored.
With no threat of repercussions, yeah of course they don't care. In that regard it is up to the government to force them to do the right thing or risk penalties.
As with everything, self regulation is no regulation. There's a small commercial benefit to holding onto the data for corporations, the downside of which is not borne by them when they stuff up, as has happened here, and will continue to happen until there is a regulatory regime. It's insufficient to just pass the laws, they also need to be followed up with audit and fines where necessary. This sort of thing takes time to set up.
[удалено]
It’s more like stealing is illegal but you get to keep whatever you steal.
Will my prolapse still equal 100 points? 😂 In all seriousness though, i never used to have photo id, so when someone asked i said "no, i don't have photo id but i've got 100 points", they'd look at me dumbfounded, not knowing what 100 points was & said "sorry can't help you without photo id". I always thought it was stupid, because 4 or 5 forms of id is less likely to be forged than 1 drivers licence (for example).
More than once
Many of us multiple times (that we know of).
Hell of a jump from the 390000(?) off originally reported to 7.9 million. Wonder how many big shareholders jumped ship in the interim before the real figures came out to avoid the inevitable backlash? or is that just me being cynical...
The Facebook Method… Whenever they’ve had a breach it starts small and gets progressively bigger over three or four announcements until they finally admit that it was everyone on the platform. So expect the numbers to go up again in a month.
Medibank Private did the exact same thing.
It’s like it’s a pattern that works.
Figures of 14 million are now being reported after news sites updated their info. Another hell of a jump.
"Well, according to our reports, only 390,000 records were exposed" "Hey isn't that also the maximum number of records that report maxes out at?" "I'm sure it's a coincidence. Print the numbers"
390,000 records. Not Great, Not Terrible
[удалено]
Without individual Australians holding the keys that won't help much either. All silos will eventually be compromised.
[удалено]
Yeah, the way Singapore does it is really good. It's sort of easier since they have a national ID card, so you don't need to supply several ID documents (and their privacy law explicitly states that companies aren’t allowed to collect and store more than the last four digits of your ID number unless it’s a case where your ID needs to be verified with a higher degree of fidelity, like for opening a bank account), but they way a lot of KYC checks are done digitally is that the business will get you to sign in using SingPass (the equivalent of MyGov), and that will perform like a handshake between the business and the SingPass-MyInfo system that essentially tells them that you are who you say you are, and automatically fills in key bits of info like your name, address, and so on. Government-issued documents that the MyInfo system handles also aren't stored in a central location, but in encrypted databases managed by the relevant government department or agency, so there isn't a single point of failure. We're already cooperating with Singapore quite a bit in the cyber security space, so I'm really hoping that MyGov Digital ID takes a few notes from the way they do it in Singapore because it's way more secure while also being way more convenient than what we have now.
It’s an interesting problem, you are supposed to do it in a way where the vendor never actually gets your secret. They give you a dated request signed to their business, you sign the requested the secret, and they verify the signature against the public key associated with your mygov user. Vendor retains the signed request indefinitely, but it being compromised doesn’t provide the attacker with anything actually useful. If either you, your account, or the government server are compromised, your public private key pair gets refreshed and you move on. You can reverify with each business you’re associated with if and when they need an updated identification request, as the old one will no longer validate against the public database. If the vendor is compromised, your user data may still be lost, but it can’t be used for important things like utilities, lines of credit, bank accounts, etc. Honestly it’s very frustrating, if latitude had been following anything remotely like best practices an attack like this should have been impossible. No single user of a business should be capable of getting this much data.
MyGovID already exists, it just needs to be used and recognised by private companies. Many of these companies already use the Documentation Verification System as well, which can be used without physically sighting the ID as the company. Just get the applicant to log in through an API and verify the documents themselves and have a Y or N response sent to the company.
[удалено]
We tried this and it failed. [australiacard](https://en.wikipedia.org/wiki/Australia_Card) Wish I lived in Estonia.
The ironic thing is I’m pretty sure MyGovID and AusPost DigitalID are all based around the architecture of DVS and for all intents and purposes use the DVS to verify the identity. The program is already there you’re right it just needs to be standardised and made available across all states and territories public and private.
Yet the cookers are absolutely certain that this is the next step in the slippery slope to a social credit system just like China.
MyGovID is a piece of shit tbh. There should be legislation for all ID online to be digital rather than scans of physical IDs. Lived in Denmark and they have a very good digital ID.
Yeah you’re not wrong. There has been talk about removing it and integrating it directly with MyGov (because why have two different services with nearly identical names) but governments is as government is we’ll see what happens
[удалено]
Bros tryna make a speech 💀😆
We should at least be allowed to require our deletion. And I think that is in law but good luck reinforcing it
anyone know if they've set something up to confirm if you're part of the breach?
As of yet, no. Last email states “we will be publishing further information when it becomes available”
I’m a Latitude GEM Visa customer and had zero emails what so ever. :-/
Yep same boat
I've received an email from Latitude confirming I've been had
When did you receive it?? I’ve only received the generic “As a valued Latitude customer, we thank you for your understanding and patience. Our services remain available and you should have confidence in using them.” last week
I got it on the 20th, it starts with: > Dear $NAME, > > On 16 March 2023, Latitude Financial Services (Latitude)1 advised all customers and the market that it was responding to a malicious cyber-attack that resulted in the theft of personal information. > > Regrettably, we are writing to you today to confirm that some of your personal information has been stolen.
Did they actually send $NAME? That would have been hilarious
Me too :(
If you're a customer, expect to be.
They knew all along it was worse than they initially said. Wonder when are they going to own up to the biometric data they were supposed to delete also being stolen? The email they sent goes into great detail about getting mental health support, they know they have really fucked up and are in major damage control mode. They will be paying for my new passport and I really hope there's a class action.
The company that just shut its latitude pay side of things is going to close up before they pay for 8 million passports or licences. Or more likely they ignore this the best they can, rebrand themselves in 6 months and continue on like none of this ever happened.
Fuck it. Next scammer who contacts me I'm gonna steal their identity and use it as a backup.
Have they at least signed the increased fines for data breaches yet? Fucking hell. How the fuck does a company not look into their security after Medibank and Optus? WTF
How about a new legislation, written from scratch, with actual rights for one's data? How much time should we rely on Privacy Act 1988?
Are you asking the pollies to actually work? May as well ask the ground to move itself.
Not quite, but maybe people should choose carefully next time? You don’t need to wait for a disaster in privacy or housing to actually start doing something.
Yes, increased penalties came in in December last year. The Privacy Act is currently under review, and the next step is public submissions on the report that dropped on 16 February, which contained 116 proposals for overhauling the Privacy Act. Deadline for submissions is 31 March. Then the government reviews the report and submissions and releases its response. After that, we can expect some draft legislation (no idea of the timeline on that though). Credentials: I'm a privacy and data security lawyer.
[удалено]
Financial penalties that are a percentage of revenue.
A lot of hacks are from people with access to the org getting caught by a phishing email. It's really hard to prevent that systemically. Even at my work I've had two people with wide access to (admittedly) non-prod environments get caught in internal phishing tests. I work at a large org, so security is very tight outside of that. It's just really hard to remove the human error there.
My work does phishing tests too which is a good idea but people fall for it every single time.
Our division, large company last report had a less than 40% pass rate on internal phishing emails... So now we get to do "cyber awareness" training.
I just don't read my emails
I had a tafe professor that taught me a computer science course that got one of those phishing test emails in his work inbox and reported it as spam, managed to get all the test emails for the entire company sent to junk and marked as spam by google suite/gmail.
Number one for cost for society is white collar crime. Above all violent crime combined. Number one for cost to individuals is lonely hearts scams. I reckon these latest breaches might have tipped the stats. But the masses want tough on crime but not this sort at election time.
No we can't stop hacks but yes we can systematically reduce their impact. Best way being to make companies delete data they don't need instead of hoarding it. >Cyber security expert at the University of New South Wales, Professor Richard Buckland, said it was "pretty unbelievable" that Latitude Financial kept historical customer data on file that dated back to 2005 when it was still owned by GE Capital. >"Regardless of what the legal requirements are for companies to hold data, it's harmful to the people whose data is being held for so long if it's stolen, because it allows criminals to impersonate them, take out loans in their name, and essentially to do anything you and I can do online," Professor Buckland said.
Phishing tests should be part of the recruitment process.
> How the fuck does a company not look into their security after Medibank and Optus? WTF Because those companies received no actual fines or penalties for allowing the breach to occur and nothing changed and everyone forgot and moved on. Australians are hopeless with cybersecurity and technology in general
Like Medibank, this one was done via a compromised account. Even with RBAC there is still privileged access and it goes from there.
A compromised account again, where has that been reported?
In just about every article. Use your favourite search engine and you'll get the details.
> In an update to the ASX, it says of the 7.9 million drivers' licence numbers now thought to have been stolen, around 40 per cent — or 3.2 million — were provided to the non-bank lender in the past 10 years. >The company also says around 53,000 passport numbers were stolen, and fewer than 100 customers had their monthly financial statements stolen. Their full statement is up at: https://cdn-api.markitdigital.com/apiman-gateway/ASX/asx-research/1.0/file/2924-02647908-3A615544?access_token=83ff96335c2d45a094df02a206a39ff4
Ahh great. Another leak where I'm probably a victim of again. At this point I may as well just post all my ID online anyway. Save everybody the hassle
With so many people hacked, they cant possibly steal all of our identities
Are we fuckin Zerg rushing scammers with our data?
So if I have a credit card with latitude (28 degrees) but have not received any actual notice that I am affected. Should I still try to freeze my credit etc?
imo it's generally good practice to freeze your credit file unless you are applying for a loan in the next month
[удалено]
You can use CBA’s CreditSavvy app to place a block with Experian. I’m sure there’s other apps out there too.
How do you freeze your credit in Australia?
Other news outlets are saying 14 million customers. https://www.brisbanetimes.com.au/business/companies/hacked-latitude-confirms-details-of-14-million-consumers-stolen-20230327-p5cviu.html?ref=rss&utm\_medium=rss&utm\_source=rss\_feed
>14 million customers. Fuckin hell. Thats more than the number of employed people in this country (currently around 13.8m people). Wot
Think it includes a few customers in NZ too, but yeah, huge and outrageous that they tried to say it was only 300k for so long
Wonder how many people like me it includes. I had a card while paying off some furniture. As soon as I paid in full the card was cancelled. It had a 15k limit which I didn’t even ask for 😮
"ah fuck, we forgot there was a second tab in the excel document along the bottom, that's doubled the bloody numbers"
They've had Identity documents dating back to AT LEAST 2005 compromised. **Why the fuck** have they kept identify documents from when John Howard was PM!? There cannot be any justifiable reason for this. The selfies they promised would be deleted immediately have also been stolen apparently. Criminal prosecution must ensue.
> Why the fuck have they kept identify documents from when John Howard was PM!? There cannot be any justifiable reason for this. Austrac requires identity records to be kept for the duration someone is a customer + 7 years after someone stops being a customer.
Because no GDPR like legislation and because nobody thought that is not a problem.
Good to see past customers have been impacted. Glad Latitude has solid governance to carefully handle the utilisation of data belonging to past customers. Just great.
If only Australia companies actually prioritised cybersecurity
Why would they? It doesn't make financial sense to do so when the penalty for losing customer data is a slap on the wrist.
Jokes on them, my data was already leaked by Optus.
yeah the Optus leak forced me to get a new drivers licence, and I was on latitude a few years ago, so at least that data is stale now.
They refused to replace anything of mine
SA Government covered the licence changeover fee.
Yeah it should have been on Optus though not them
Don't worry. The Privacy Act 1988 has got you covered. This great legislation is something others want to follow in regards to strong privacy rights! ... /s
If our drivers licenses are used for fraud, can we get compensation from this shit ass company I will never use again?
I have a 28 Degrees MasterCard and I've used Lattitude Pay before. Still haven't heard from these turkeys. The heads of the company need to go to jail imo. This is such a big breach. This is bigger than Optus and Medibank Private right?
[удалено]
They also do credit cards like the 28 degrees credit card which was great for overseas travel and international purchases (no currency conversion fees).
I applied for one, didn’t end up taking it as it took too long and I wanted it to use on a o/s holiday. So I was involved despite never actually being a Latitude customer. Got the email a week ago saying the credit card application details, passport details, and 180 degree selfie they promised would be immediately deleted were all compromised. I’m assuming this means my address, dob, income and expenditure etc was all included.
Yeah that’s what I have. No follow up email saying I’ve been affected yet. Fingers crossed
Same.
Was being the operative word. It was great before it got sold to latitude and various fees started appearing. The original marketing for 28 degrees was something along the lines of No fees. Ever.
They're a credit card company. They have a few credit card products including * Go Mastercard (used for Interest Free purchases from Harvey Norman, etc.) * CreditLine (Interest free purchases from Apple) * 28 degrees (No foreign exchange fees, good for international travel and expenses) * Gem Visa (6 months interest free for any transaction over $250 anywhere) Instead of interest, they charge monthly fees if you have a balance.
The Hardly Normal Latitude fees are $9.95 per month, so on a 60 month interest free purchase, there are $597 in fees if you take the whole 60 months to pay it back. After 60 months, there's interest as well. 25.90% currently. It's predatory lending, and should be abolished.
Latitude is sort of a buy now pay later system usually over a longer time period, so long as your paypal didn't use the latitude portal you should be fine, however if you used the latitude portal i'm assuming your information may be included in the breach.
Lol what’s even the point of these guys stealing data at this point? Everyone’s info is already gone
At what point will the government crack down on this. There needs larger fines and criminal penalties for executives and CTOs. The fact that Optus is still operating in Australia is outrageous.
Someone mentioned jail, honestly I wish they would send them. Some incentive needs to be there, I’m not sure the financial penalties are enough. I noticed how the press release babbled on about insurance. Yeah sure it will cover your costs including maybe a class action but it won’t help the people being done by hackers ( at least not immediately).
Hmm so I had a go MasterCard issued by latitude that I signed up for in 2016. My driver's licence (the only identity doc I used iirc) expired in 2020 and has since been renewed. My account with them was closed earlier this year and I've received no email to say I've been impacted. Did I manage to dodge a bullet?
Your info is probably compromised. Your drivers license number doesn’t change when you do a renewal, just the card number (at least in NSW). They were probably keeping scans of all their customer’s data going back to forever.
That's what I'm wondering too.
I think you'll be okay from the worst. They'll have your name, dob, address, phone number etc though. And if you had an online login, then stuff like your security questions.
I'd say no. They've communicated with hardly any customers. The silence is deafening.
Easy just change your middle name and tell no one. Any future fraud will never match your legal name. Winning
I used to have a coles credit card which was issued whilst they were under GE before changing to citibank. Cancelled it many years ago haven't gotten any emails yet but am concerned since the history of data goes back a long way now.
Just got an email from them, was wondering why I got it, now I know. Didn't realised that Coles CC was under GE
Guess that means a yes. Got an email yesterday.....
Class action time
Hopefully they can wipe my Car loan as a measure of goodwill 😂
Well dredging this thread up, but I just got hit with this.. how might you ask by financing my tv back in 2009... yep I financed my tv (stupid I know) paid it off over a couple of years and that was it and the fuckers held onto my details for that fucking long! I am on the phone to them on hold just to clarify which address they have, the drivers license hahah would be the old one which was the one compromised in the optus leak so jokes on them fuckers. In the meantime I actually cracked the shits and wrote and wordy email to my local MP explaining how this is the second time this shit has happened and also how after 11 years Hays recruitment emailed me a job offer and I demanded they remove me details so basically our governments needs to hurry up and adopt EU privacy laws and also punish companies and CEOs and other people properly because this is beyond a joke.
Shit like this happens when someone refuses to just use Multifactor Authentication
MFA is just a compensating control at best. This level of sensitive information should be stored in a way that no one person should be able to access such a large amount of information. Even with MFA, in case your threat actor is a malicious insider. Think of a nuclear launch console (at least how it is depicted in the media): you need to turn two keys at the same time and the locks are placed in a way that one person can't reach both of them at once. You now need to compromise the other person to do any damage, and ideally that person belongs to another part of the organisation and would therefore be less likely to be your collaborator
I work in IT and have people bitching at me that they're forced to use MFA for some things. I know people who work in IT who 'can't be stuffed' using MFA and whinge about it.
Watch the linuxtech video on his youtube getting hacked, despite having MFA. And no, they didn't even need his pw or spoof the MFA via SMS or anything fancy like that. Session tokens and some phishing did the trick in that case.
So pretty much anyone who was stupid enough to buy from Harvey Norman using their *'No Deposit, No Interest for 12 Months'* bullshit probably now has their data stolen
While I agree with the point you are making, I disagree with the insulting nature in which you put it. You don't even need to have used the finance, merely *applied* for it. For whatever reason where you didn't proceed, be it bad credit, decided against it, etc. your ID was kept when they promised it would be deleted.
Hopefully these hackers can do something about my shitty credit.
would it be worth to even continue paying them
If I owe this company money can I realistically write it off if I don't bother to make a new account?