Financial services company Latitude Group is the subject of an unfolding cyber-attack, with around 14 million customer records stolen. UNSW Business School associate professor Rob Nicholls told ACM it was likely the largest data breach Australia has experienced. "Up until today, it looked as though it would be the third largest hack in Australia," he said. "But with the revelation there are 14 million records lost, it's become bigger than Optus and bigger than Medibank Private," he said. The company said the hack was detected around two weeks ago, with the criminals accessing 7.9 million drivers licences, 53,000 passport numbers and around 100 customers monthly financial statements. Latitude said 6.1 million records dating back to at least 2005 were also taken in this month's hack, including names, addresses, telephone numbers and dates of birth. "Australia's data security needs to become a national priority, and it's cases like Latitude Financial that demonstrate why," Associate Professor Nicholls said. The financial services company offers loans, credit cards and insurance policies to Australian and New Zealand customers. "Our people are working around the clock to contain the attackers," Latitude said in a statement. Latitude Financial is being targeted in an unfolding cyber-attack resulting in the theft of personal information including identification documents. "What's worse is the hackers are in the systems of Latitude's service providers," Associate Professor Nicholls said. This outsourcing means Latitude is "one step removed", he said. "If you're a financial services business, why would you outsource? It's only because it looks to be cheaper," Associate Professor Nicholls said. "But if the cost of outsourcing is reputational harm, that's just not worth it," he said. Managing data in-house means companies can apply their own processes to addressing breaches like this, he said. The company said they are working with cyber-security experts, the Australian Cyber Security Centre, the Australian Federal Police (AFP) and relevant government agencies. An AFP spokesperson told ACM a criminal investigation was launched into the Latitude Financial Services cyber incident on Friday March 17. "We recognise that today's announcement will be a distressing development for many of our customers and we apologise unreservedly," Latitude said. "It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident," CEO Ahmed Fahour said. He said a full review would be conducted. The hack affects almost eight million Latitude customers in Australia and New Zealand. In October 2019, LatitudePay, Latitude's digital payments platform announced it had partnered with national retailers including Forty Winks, Prouds, Angus and Coote, Goldmark, Bing Lee and Harvey Norman, but it's not clear if any associated data was accessed in the hacks. Latitude said 60 per cent of the data stolen is from customers who have been with the financial services company for more than 10 years, and 3.2 million hacked records came from more recent customers. "We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation," the company said. Latitude said they're contacting affected customers directly to discuss the stolen information and the best course of action. This process is likely to take a few days and customer's patience is appreciated, Latitude said. IN OTHER NEWS: Existing customers can continue to make transactions on their Latitude credit card, the company said on March 23. "We will help [customers] replace identification documents, where necessary, at no cost," Latitude said. Customers should be aware that scammers can use the confusion surrounding a hack to gain extra data by impersonating the breached organisation. Cyber security organisation IDcare warn that any communication about the hack could be from scammers, so keep passwords and codes private and don't give remote access to devices. "We urge all our customers to be vigilant and on the look-out for suspicious behaviour relating to their accounts. We will never contact customers requesting their passwords," Latitude CEO Mr Fahour said.