DXC Technology says global network is not compromised following Latitude Financial breach

Soon after Latitude Financial revealed it suffered a cyber attack, DXC Technology quietly published a note on its website stating its global network and customer support networks were not compromised.

When Latitude Financial, which is listed in the Australian Securities Exchange (ASX), first published about the attack it said the activity was believed to have “originated from a major vendor used” by the company. According to Latitude, the attacker obtained login credentials from an employee using it to “steal personal information that was held by two other services providers”.

Latitude provides loans, credit cards and insurance in Australia, New Zealand, Canada and Singapore. Some of its services includes interest free instalments for JB Hi-Fi, The Good Guys and David Jones customers when shopping online.

Nothing to see here

DXC is one of the largest IT services providers in the world and back in 2017, when it launched after the merger of CSC and HPE’s services division, it revealed that a majority of its personnel and half of its customers were based in Australia.

On 17 March, the company published an unprompted public statement assuring its network was safe. “DXC is liaising with the Australian Cyber Security Centre (ACSC), and we have advised them that our systems are secure and operating as normal,” read the statement.

“DXC takes the responsibility of protecting the security of its customers’ systems and data very seriously.”

This announcement sparked suspicion with the AFR Weekend writing it understands DXC to be one of Latitude’s providers.

CSO has reached out to DXC Technology Australia for comment.

Latitude reveals 14 million customers impacted, not 330,000

Ten days after Latitude revealed it had been breached, the company found that data from 14 million people had been accessed, as opposed to the 330,000 it had first believed.

The attacker managed to use the stolen employee credential to access customer data stored by both services providers before Latitude was able to isolate the incident.

As of 27 March the company knows that 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to the company in the last 10 years. Approximately 53,000 passport numbers were stolen, and less than 100 customers had a monthly financial statement stolen.

There were also 6.1 million records dating back to 2005 that were accessed including name, address, telephone, and date of birth.

“We are committed to working closely with impacted customers and applicants to minimise the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred,” Latitude CSO Ahmed Fahour said in a statement.

“We urge all our customers to be vigilant and on the look-out for suspicious behaviour relating to their accounts. We will never contact customers requesting their passwords.”

Latitude has suggested customers contact Australia’s credit reporting agencies for a credit report to check for any suspicious activity and in New Zealand to check credit records.

The financial services provider had initially isolated and removed access to some customer-facing and internal systems.

“We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days,” Fahour said.

Investigation and Federal government action

The incident is under investigation by the Australian Federal Police (AFP) and Latitude has reported the incident to the Australian Cyber Security Centre.

The AFP has expanded Operation Guardian to help protect Latitude Services customers. Operation Guardian is a joint initiative with state and territory police  and was set up in September 2022 to protect more than 10,000 customers whose personal information was unlawfully released online after the Optus data breach. It was also extended to Medibank Private customers.

The AFP also said that there is no evidence to date that the personal details of Latitude Services customers are available or being sold on online or dark web forums.

The AFP has recently announced a restructure in response to an increase in cybercrime, appointing Acting Deputy Commissioner, Crime, Grant Nicholls, who will be responsible for developing and managing the AFP’s crime and cyber strategies and related policy issues and Assistant Commissioner Scott Lee as the leader of Cyber Command.

The Australian Federal government is seeking feedback from a discussion paper in order to put together a new cybersecurity strategy. This includes considering that Australia develops a Cyber Security Act and whether further reform to the Security of Critical Infrastructure Act is needed.

Minister for Home Affairs and Cybersecurity Clare O’Neil said in a statement, “While we will never reduce this risk of these attacks to zero, how we respond and become more resilient as a nation is now more important than ever.”

“This government is working to ensure that in future digital identities are hard to steal and, if compromised, easy to restore,” she said.