Latitude suffers 338% drop in profit after largest cyberattack in NZ history
“2023 was undoubtedly the most challenging year in Latitude’s history,” said Bob Belan, chief executive of Latitude Group, after a catastrophic 338% drop in after-tax profits.
The personal loan company, which lends in both New Zealand and Australia, was hit by the largest data breach in New Zealand history last year.
The company, whose shares are listed on the Australian ASX sharemarket, lost data on about one in five New Zealanders and a vast number of Australians in a cyberattack in March last year.
Now Latitude, which operates the Gem by Latitude brand in New Zealand, has posted its 2023 full-year financial results, revealing it made a loss of A$138 million (NZ$146m) in 2023, down from a profit of A$58m the previous year.
After the cyberattack, Latitude’s normal operations were disrupted for six weeks, as it had to temporarily stop lending and redeploy resources to contact millions of customers and ex-customers, as well as beginning a “rebuild” of the business, including beefing up its cyber defences.
The privacy breach involved data being stolen from a third party using a Latitude staffer’s login details.
The data breach prompted unprecedented co-operation between privacy regulators on either side of the Tasman Sea.
Latitude told investors that borrowers continued to trust the company and continued to take out loans with it, and lending volumes were returning to normal.
A spokesperson for the Office of the Privacy Commissioner said: “Our investigation is continuing, so we are not able to make a comment at this stage.”
Latitude has set aside A$49.6m for customer remediation costs, future legal costs, and in case it has to pay fines as a result of regulators taking action against it.
The cyberattack resulted in a rise in missed payments on Latitude loans, after the lender had to “pause” its pursuit of borrowers who were behind on their repayments.
It was also temporarily unable to increase its lending rates as a result of the disruption caused by the cyberattack.
Latitude said the cyberattack had resulted in costs of A$68.3m for the company.
The scale of the data breach was unprecedented in New Zealand, though the previous year Australia had suffered two enormous privacy breaches, at telecoms company Optus and insurer Medibank.
The details of 14 million Latitude customers were stolen from its computer systems in the March cyberattack, including the drivers’ licence numbers of 7.9 million Australian and New Zealand customers.
Many New Zealanders ended up getting terrifying emails and texts from the lender telling them that they were among the people whose data had been stolen.
This included some data on 1.037 million New Zealand drivers’ licences, of which approximately 16,000 were the images of licences, and the rest were licence numbers, Latitude said.
The fines Latitude faces under Australian
law, if it is prosecuted, are far higher than those in New Zealand, after Australian politicians lost patience with companies failing to protect their customers’ data.
The investigation includes privacy regulators looking at whether the lender was holding on to the data of former customers who had closed their accounts, including some who said they had asked the lender to delete their data.
The breach embarrassed Kiwibank which had a deal to refer its customers to Latitude when they wanted a personal loan, and the bank has announced that the deal is over.
In the three months following the data breach, Latitude spent A$76m dealing with the data breach, the lender revealed in August.
Since the catastrophic breach in March investors have seen the company’s share price track sideways, compared to a 4.35% rise in the ASX200 Index of leading Australian companies.