Days before Latitude went public with its cybersecurity breach, routine security scans that look for anomalous activity on the Latitude network flagged a user who had logged in with credentials that were jointly issued (or, technically, cryptographically signed) by Latitude and one of its trusted service providers, which AFR Weekend understands to be DXC Technology.
An administrative user had logged in from DXC, and was doing something that DXC admins don’t usually do.
It’s not clear what activity tripped the scanner, but by the time Latitude had shut down its connection to its upstream service provider, the user had already logged onto the systems of at least two other Latitude service providers, and exfiltrated data belonging to hundreds of thousands of Latitude customers.
It’s understood the data, which included drivers’ licence, passport and even Medicare information, was collected by the two service providers as part of the credit-checking process when anyone applies for a new financial product with Latitude.
In its public statement, Latitude was more circumspect about the event, the subject of an Australian Federal Police Investigation.
It didn’t publicly identify the DXC as the outsourcer through which, Latitude alleges, cybercriminals broke into the Latitude system, stealing data in an attack that – following the Optus and Medibank Private attacks last year – has become an all-too-familiar refrain in Australian business.
“The activity is believed to have originated from a major vendor used by Latitude.
“While Latitude took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated,” Latitude’s ASX announcement said.
In announcements since then, the lender has acknowledged it is still figuring out the exact size and scope of the data breach.
It’s distinctly possible that the data stolen from the two downstream service providers never passed through Latitude’s network, making it difficult for the company to even determine which customers were affected.
Once the cyberattackers had used Latitude credentials to get inside the two downstream systems, they may well have exfiltrated data directly, rather than via the Latitude connection, meaning Latitude’s security systems never would have detected huge payloads of company data being uploaded offsite.
The company, which uses the US cybersecurity giant CrowdStrike as its primary cybersecurity contractor, has also called in the Google subsidiary Mandiant, as well as the Australian cybersecurity firm CyberCX, to help investigate what happened, AFR Weekend understands.
Contacted for comment on whether the attack did indeed originate from its network, DXC Technology simply referred back to its public statement.
In that statement, the multinational IT services and consulting company said it was “liaising with the Australian Cyber Security Centre (ACSC), and we have advised them that our systems are secure and operating as normal,” suggesting the attack did not come from it.
The fallout
What else the cyberattackers did, other than download an untold number of sensitive documents about Latitude’s Australian and New Zealand customers, will be one of the things CrowdStrike, Mandiant and CyberCX will be racing to determine.
When Medibank Private suffered a data breach last October, messages exchanged between cybercriminals behind the attack and Medibank’s cyber ransom negotiators suggested the attack had been happening for at least a month before it was first detected, allowing time for the criminals to completely map Medibank’s systems.
(Indeed, the attackers even offered to sell the insurance company their insights into Medibank’s security system, as part of the ransom package.)
The Medibank attackers also acknowledged their data exfiltration had merely been the first stage in a multi-stage attack, that would have resulted in Medibank’s data being encrypted with ransomware, crippling the company and increasing the likelihood of it paying the $9.7 million ransom demand.
While it’s unclear whether the Latitude attack would have resulted in the company’s systems being crippled with ransomware had the Latitude not pulled the plug on its “major vendor”, there is reason to believe the attack may have been thwarted in its early stages.
The administrator credentials used by the attacker have a short shelf life – it’s common for such credentials to be rotated every 60 or 90 days – and AFR Weekend understands the credentials used in the attack were freshly minted. If those were the first credentials used in the attack, it might have only been going on for days before it was discovered.
And, while some of Latitude’s systems have ground to a halt in the aftermath of the attack – the company says it’s no longer onboarding new customers, for instance – that appears to be the result of Latitude’s actions in the aftermath of the attack, rather than caused by ransomware.
It’s common practice for victims of cyberattacks to bring down their own systems in an effort to contain the attack and ferret out the attackers, and Latitude maintains that’s exactly what it’s done.
Nevertheless, the attack on Latitude is unlikely to be over.
In a recent survey of companies hit by cyberattacks, IBM found it took an average of 277 days, about nine months, for a company hit by an attack to identify and contain it.
Once they’re inside your network, ferreting out cybercriminals can be fiendishly difficult, and that appears to be the case here.
In a Wednesday ASX statement, Latitude said its focus “remains firmly on containing this attack”, suggesting the attack was ongoing at the time, or at least might be, despite the connection with the major service provider having been severed.
Who’s to blame?
The question of who might be held liable for damages wrought by the attack, given Latitude’s assertion that it originated from the systems of a major outsourcer, is also a difficult one.
Regardless of where the attack began, Latitude is responsible for it, says Nigel Phair, enterprise director of the Institute for Cyber Security at UNSW and one of Australia’s leading cybersecurity experts.
“You can outsource functions, but you can’t outsource the risk. That’s what companies like Latitude need to understand. They just have to invest in security themselves,” he says.
“If there’s an upstream provider or a third party, whatever it might be, they just can’t write it off and say ‘Oh it’s their fault’.
“The reality it’s the Latitude brand that gets impacted, and that’s what I hope is the lesson learned from this attack: you’ve got to know who your service providers are,” Phair says.
But that’s far from a universal view in the cybersecurity industry. Many chief information security officers (CISO) believe big outsourcers and software providers need to be held to account for flaws in their systems that affect their downstream customers and users.
“We’ve got to stop pretending that we can somehow leave it up to the best efforts of businesses and individuals to protect themselves online with technology which is fundamentally unfit for purpose,” says James Turner, managing director of CISO Lens, a forum for Australia’s CISO community.
Indeed, US President Joe Biden has argued much the same thing. In a shift in US cybersecurity policy announced in early March, the Biden administration said: “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organisations that are most capable and best-positioned to reduce risks for all of us.”
Possibility or inevitability?
As part of that policy, Biden promised to “(shift) liability for software products and services to promote secure development practices”.
That would be a welcome development for Australian companies, which view a damaging cyberattack not so much as a possibility as an inevitability.
In a study released this week that looks at Australia’s preparedness for cyberattacks, the US networking and cybersecurity giant Cisco found that 92 per cent of Australian businesses expect a cybersecurity incident to disrupt their business in the next 12 to 24 months.
That same study showed 70 per cent of Australian businesses had suffered a damaging cyberattack in the 12 months before the survey, which was conducted immediately before last year’s attacks on Optus and Medibank Private.
The latest attack on Latitude, it seems, is more the norm than the exception.
The attacks that get reported in newspapers are just the tip of the iceberg, said one cybersecurity expert, who requested anonymity because he’s involved in investigating the Latitude attack.
In fact, he says, they’re not even that.
The attacks that get reported to the Australian Cyber Security Centre (ACSC) – at the rate of one attack every seven minutes – they’re the tip of the iceberg, so great is the underreporting of cyberattacks in Australia.
The ones that make it into newspapers, like the Medibank Private, Optus and now the Latitude attacks, they’re “the tip of the tip of the iceberg”, he says.
