In March 2023, Latitude Financial disclosed that a cyber attack had resulted in the theft of personal information belonging to approximately 14 million individuals across Australia and New Zealand. The breach was one of the largest in Australian corporate history.
The Attack Vector
The attacker obtained login credentials belonging to a Latitude employee at a major vendor or service provider. Those credentials were used to access Latitude's systems. The initial scope appeared to involve approximately 330,000 records, but investigation revealed the true extent was far larger.
Why Third-Party Access Is a Significant Risk
Most businesses grant access to multiple third parties — IT providers, managed service providers, software vendors, accountants, and consultants. Each represents a potential entry point. The security posture of your business is partly determined by the security posture of every party with access to your systems.
What Vendor Risk Management Looks Like in Practice
At minimum: an inventory of all third parties with access to your systems, a review of what access each has and whether it is scoped to minimum necessary, confirmation that those parties enforce MFA on the accounts used to access your environment, and a process for revoking access promptly when the relationship ends.
The OAIC Investigation
Latitude initially declined to pay the ransom demanded by attackers. The OAIC launched an investigation into whether Latitude had complied with its obligations under the Privacy Act. The incident contributed to the momentum behind the Privacy Act reforms, particularly around notification timelines and penalty levels.
Should we require our vendors to provide security attestations?
Yes. For vendors with access to sensitive data or critical systems, requesting SOC 2 reports, ISO 27001 certificates, or completing vendor security questionnaires is reasonable and increasingly standard. The level of scrutiny should match the level of access.
