Exclusive: The array of deeply intimate financial information today confirmed as stolen in the Latitude hack is "as bad as it gets", a cyber privacy expert has declared, leaving 290,000 victims potentially vulnerable to blackmail, extortion and theft.
9news.com.au can confirm hackers gained access to highly private banking, work and personal records that almost 300,000 Latitude customers had entrusted to the firm, including details of employment, income, household expenses, assets and liabilities. Hackers also hoovered up those customers' BSB and account numbers.
The 290,000 people affected are part of the 14 million overall customer records known to have been stolen in the breach.
Today's revelations depict an alarming level of exposure, privacy expert Dr Brendan Walker-Munro told 9news.com.au.
"In terms of exploitation, this is as bad as it gets," Walker-Munro said.
"With Medibank the danger was criminals using the stolen data to blackmail or harass people with vulnerable or compromising medical conditions.
"Here, they can just go straight for the money."
The full extent of the hack has grown significantly worse since the company revealed the attack in March.
Walker-Munro said the breadth and specificity of information taken from 290,000 customers allowed anyone who holds it to essentially mimic a victim's legal identity to a financial institution.
"A criminal could apply for bank accounts, loans, credit cards - the works."
Although cyber criminals can just falsify things like someone's assets and expenses, having the actual details of a real-life person gives scammers a detailed example of a customer who has already received credit, Walker-Munro explained.
"This means they don't have to try to game the algorithms behind the credit decisions by making up 'believable' numbers."
Hackers can also potentially use that detail to access accounts already held in the name of that customer, he said, or to try and get more information about the person from a government department.
Almost 8 million drivers licenses are known to have be stolen.
Walker-Munro also warned of the possibility that hackers could use this kind of highly personal information in a direct blackmail or ransom scenario.
A victim could get a phone call from criminals threatening to expose how close they are to bankruptcy, or their level of debt, unless a ransom of Bitcoin was paid.
"You have to remember that, statistically, at least some of the customers in the hacked data were having debts recovered from them by Latitude for overdue payments, contract breaches and other things," he said.
Warning over 'true blue' texts from supposed 'mate'
A Latitude spokesperson confirmed "approximately 290,000 BSB and account numbers provided for personal loan disbursements, as well as income and expense information used to assess loan applications", were compromised in the March cyber-attack.
"No account passwords were stolen," the spokesperson told 9news.com.au.
"Some cancelled or expired credit card numbers provided for debt consolidation were also compromised.
"No card expiry dates or CVC numbers were stolen."
In the aftermath of one of Australia's worst breaches, civil litigation experts Gordon Legal and Hayden Stephens and Associates are joining forces to investigate a potential class action.
Gordon Legal said it was "deeply concerned" about the impact of the data breach on Latitude customers.
"We are investigating how a breach of this size could occur," the firm said.
Walker-Munro said the kind of information hackers got access to was not unexpected, given core parts of Latitude's business involved building a complete financial picture of potential borrowers.
Earlier this month Latitude said hackers had threatened to release customer records unless an undisclosed ransom was paid, a demand the company refused.
In the days after news of the attack went public, Latitude warned the full extent of the breach could get worse.
They were right.
On March 16, first announcing the attack, it said more than 330,000 personal records had been impacted.
Less than two weeks later it upgraded the damage to 14 million records, including 7.9 million Australian and New Zealand drivers licences, 53,000 passport numbers and a small number of monthly financial statements.
Then, in April, supermarket giant Coles confirmed it had been caught up in the Latitude breach too, revealing personal information for historical Coles-branded credit cards had been stolen.
Australian Federal Police are investigating the crime.
Sign up here to receive our daily newsletters and breaking news alerts, sent straight to your inbox.