Latitude Financial says no to ransom demand

Image courtesy of Muhammad Raufan Yusup on Unsplash.

Australian digital payments firm Latitude Financial will not be paying the hackers behind the data breach in March.

The company made the announcement on April 11, saying they received a ransom demand from the criminals behind the attack.

While Latitude did not disclose the amount demanded by the hackers, it said that the decision to refuse payment is in line with the position of the Australian government.

“We will not reward criminal behaviour, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen,” the company said in its statement.

“In line with advice from cybercrime experts, Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks,” the statement further read.

Stolen data revealed

Meanwhile, Latitude confirmed that the stolen data listed by the hackers as part of their ransom note is consistent with the damage scope disclosed by the company last March 27.

Latitude previously said that “approximately 7.9 million Australian and New Zealand driver licence numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years.”

Around 53,000 passport numbers were also stolen, alongside monthly financial statements of no more than 100 customers.

Moreover, the hackers also got hold of approximately 6.1 million records dating back to at least 2005, of which approximately 5.7 million, or 94%, were provided before 2013.

Presently, Latitude is continuously reaching out and providing support to every customer whose personal information has been compromised in the attack, noted Bob Belan, the company’s new CEO.

“In parallel, our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations,” he said.

“I apologise personally and sincerely for the distress that this cyberattack has caused and I hope that in time we are able to earn back the confidence of our customers,” the Chief Executive continued.

Risks of ransomware payments

Clare O’Neil, Minister for Home Affairs and Minister for Cyber Security, Australia. Image courtesy of Clare O’Neil on Twitter.

In a series of tweets, Clare O’Neil, Australian Minister for Home Affairs and Minister for Cyber Security, remained firm against paying a ransom to cybercriminals.

“Cybercriminals cheat, lie, and steal. Paying them only fuels the ransomware business model. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals,” she said.

“I want Australia to be the most cyber-secure country in the world by 2030. To do it, we need to stand strong together in the national interest, and deny hackers and cheats any profits from their crimes,” the Minister added.

Meanwhile, deciding whether or not to pay hackers a ransom isn’t quite as black and white as it seems, shared Sean Duca, Vice President and Regional Chief Security Officer, Asia Pacific & Japan, Palo Alto Networks.

Sean Duca, Vice President and Regional Chief Security Officer, Asia Pacific & Japan, Palo Alto Networks. Image courtesy of Palo Alto Networks.

“Paying a ransom may be detrimental, with key drawbacks including that it emboldens criminals to continue these tactics, and payments go towards funding these groups to become more sophisticated. However, an organisation that does or doesn’t pay a ransom should be on a case-by-case basis following a thorough assessment of the impact of the stolen data taken or the inaccessible systems,” he said.

“An organisation must be open to discussions to understand the true impact of the breach. For example, if hackers steal credit card numbers but don’t have access to the CCV or expiry date, it’s much more difficult for them to use the data. But if it was critical infrastructure, where there can be life-or-death situations, such as a hospital, this changes the risk equation for an organisation. Ultimately, it’s up to an organisation to determine its risk tolerance and whether or not it has done everything it can to protect the data of past and present customers,” the security expert concluded.