Latitude Financial’s Cyber Breach: A Critical Review
In March 2023, a significant cyber breach occurred at Latitude Financial, resulting in a data leak that could have been prevented. This conclusion was drawn by an independent expert from the ‘R firm’, who was commissioned to conduct a review by the Australian Financial Complaints Authority (AFCA). The review was a part of a complaint resolution process initiated by a Latitude client, demanding the waiver of their credit card debt.
Failure to Protect Client Data
The review by the ‘R firm’ highlighted some serious shortcomings in Latitude Financial’s data protection measures. The expert opinion stated that Latitude failed to take necessary safeguards to protect the complainant’s personal information from unauthorised access. This opinion was derived from a thorough examination of Latitude’s security systems, policies, and the available information about the cyber-attack, benchmarked against the best practices in the industry.
Latitude’s Cyber Security Investment: A Missed Opportunity?
Interestingly, it was observed that Latitude had made significant investments in a comprehensive cybersecurity program. However, the effectiveness of this program was called into question. The expert from ‘R firm’ pointed out that Latitude’s cyber security program did not meet the standard for incident preparedness for an organization of its size and nature. The standards mentioned were the NIST SP 800-61 R2 Preparation Standards and the ‘Essential Eight’ maturity model.
Overreliance on Third Parties: A Major Setback
In its review, ‘R firm’ also drew attention to Latitude’s excessive dependence on third parties. This overreliance was said to have negatively impacted the coherence of its detection and response capabilities. It was further noted that Latitude deviated from its documented procedures and good incident response practices during the cyber incident. This deviation likely affected the effectiveness of the response to the cyber breach.
An Opportunity Missed
A detailed chronology of the cyber-attack events provided by ‘R firm’ suggested that prompt and appropriate responses by Latitude could have slowed or even stopped the attacker. In some instances, the company missed the attacker by just a few hours. It was also highlighted that Latitude’s response did not align with its own playbooks and incident response plans, which may have further deteriorated the efficacy of its response.
AFCA’s Ruling
In light of the review findings, AFCA ruled against the waiver of the credit card debt. However, Latitude was ordered to pay $300 to the complainant as compensation for non-financial loss.
This incident underscores the importance of robust cybersecurity measures and the need for companies to adhere to their incident response plans. It also highlights the role of regulatory bodies like AFCA in maintaining checks and balances in the financial sector. For more information on this topic, click Here.
