Australia's Premier Non-Bank Lender Suffers Data Security Breach

 

One of Australia's largest non-bank mortgage lenders, Firstmac, has suffered a cyberattack, which resulted in customer information such as credit card and passport numbers, Medicare numbers and driver's licence numbers being stolen and published on the dark web. In a letter sent to its customers, the Brisbane-based lender informed them that one of its information technology systems had been successfully breached by an unauthorised third party, making it one of Australia's largest non-bank lenders. 

According to the non-bank lender, hackers have taken possession of nearly ten thousand driver's licenses and two hundred and fifty thousand "customer records" over the last few days. The company notified the Australian Stock Exchange of the incident. As a result of the unusual activity it has detected on its systems "in the last few days," the company has suspended trading until Monday. The hackers were said to be very sophisticated.

There is no indication that the hackers gained access to Latitude information held at two separate service providers by using employee login credentials - whether they have been stolen or if this was a credential stuffing attack - which they were not aware of. A consortium of investors, including KKR and Deutsche Bank, acquired Latitude from GE in 2015 to sell its credit cards and instalment payment plans to retailers. In 2021, the company became public. 

Firstmac Limited, one of the largest firms in the country, has informed its customers that it has suffered a data breach the day after an alleged theft of 500GB of data from the company by the new Embargo cyber-extortion group was uncovered. In the financial services industry of Australia, Firstmac is primarily known for its mortgage lending, investment management, and securitization services, which it provides to its clients. 

Based in Brisbane, Queensland, the company employs 460 people and has issued 100,000 home loans. At the moment, the firm manages around $15 billion in mortgage loans. Troy Hunt, the creator of Have I Been Pwned, published on X yesterday a sample of the notice letter sent to Firstmac's customers informing them of a major data breach. 

Cyberdaily, the technology industry publication, reported that a large amount of data was posted on the dark web by the hackers behind the attack. EMBARGO, a ransomware gang with roots in the Netherlands, is credited with the hack – which was carried out sometime in April, according to the publication. As a report points out, Firstmac was given a ransom deadline of May 8 by the gang, a deadline that seems to have lapsed since the gang did not appear to have met that deadline. 

Cyberdaily posted screenshots of the dark website EMBARGO, which provided customer information such as their loan and financial information, as well as their email addresses. Several FirstMac executives and IT departments were also published by the gang. It is unclear how many customers and employees have been affected by the breach. 

FirstMac has been contacted for further information. While Firstmac's security systems have been strengthened in recent months, it still assured its beneficiaries that their funds and accounts are safe, and the firm's systems have been bolstered to ensure this. There has been a new requirement that everyone who wants to change an account or add a card to an account will need to provide their two-factor authentication code or biometric information to verify their identity as one of the measures that increased security.

IDCare is offering free identity theft protection services for recipients of the notices. Users are advised to be cautious when responding to unsolicited correspondence and to regularly check their account statements for any unusual activity or transactions. As a resOn the newly formed threat group's extortion page, it appears that only two victims have been identified, and it is unclear whether or not the new threat group is doing their own data breaches, or if they have been buying stolen data from others intending to blackmail the owners. 

A sample of Embargo encryption has still not been found, so it is unknown if this is a ransomware group, or if they are simply aiming to profit by extorting funds. A large number of hacks against Australian servers were recorded in the 2022-23 financial year, which is an increase of more than 300 per cent compared to the previous financial year, according to the Australian Signals Directorate, an agency under the federal government responsible for security and information. 

A data breach was discovered late last year affecting Melbourne travel agency Inspiring Vacations, in which approximately 112,000 records, totalling 26.8 gigabytes of data, were exposed online as a result of an insecure database that couldn't be password protected. The recent data breach of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks has been labelled a "new normal" of constant attacks and breaches which have affected millions of Australians including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks among others. 

There have now been significant increases in penalties for serious or repeated breaches of customer data, largely due to the Optus breach in particular. As a result of the Embargo extortion group having announced the attack online on its site, there was extensive coverage by Australian media outlets about the attack on Firstmac which occurred at the end of April. Earlier this week, Embargo published all of the data they claimed to have stolen from Firstmac's systems, including documents, source code, email addresses, phone numbers, and database backups, one day after they made a claim it had been stolen.