IPH and Latitude Financial both hit with cyber incidents

Intellectual property law giant IPH Limited (ASX: IPH), two of its member firms and personal loans provider Latitude Group (ASX: LFS) have all alerted customers to cyber incidents today, with potentially hundreds of thousands of individuals affected.

According to IPH, the cyber incident was primarily limited to the document management systems (DMS) of its head office and two of its member firms in Australia - Spruson & Ferguson and Griffith Hack, as well as the practice management systems (PMS) of the two firms.

The legal giant, which also counts AJ Park, Pizzeys, Smart & Biggar and Applied Marks as group members, said the unauthorised access to its IT environment occurred on 13 March - one day before the company went into a trading halt to address the issue.

“As soon as this incident was detected IPH commenced working to secure its IT environment and is working with leading external cyber security and forensic IT advisors to respond and conduct a forensic investigation. We are advised that this investigation may take some time to complete,” IPH said.

“The information contained in the DMSs includes documents relating to the administration of these entities and, in the case of the two IPH member firms, client documents and correspondence.

“The PMSs contain IP case management information (such as filing timelines) relating to the practice of the two IPH member firms.”

An investigation is underway which is looking to determine whether the information stored in the systems was accessed by the unauthorised third party.

“We have enacted our business continuity plan (BCP) and, while the functionality of some systems has been affected, we have transitioned to alternative processes which are working adequately to enable the relevant firms to continue to conduct operations, albeit with some disruption.

“We apologise to our clients and the community for any concern that this incident may cause.”

Personal loans company Latitude Financial also went into a trading halt this morning before announcing to the ASX its own ‘sophisticated and malicious’ cyber incident, believed to have originated from a ‘major vendor’ used by Latitude.

According to the company, the attacker was able to obtain employee login credentials before the incident was isolated, which were used to steal personal information from two other service providers.

“While Latitude took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated,” Latitude said.

“The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers.”

Latitude said that approximately 103,000 identification documents (97 per cent of which were copies of drivers’ licences) were stolen from the first service provider. A further 225,000 customer records were also stolen from the second service provider.

“Latitude apologises to the impacted customers and is taking immediate steps to contact them,” Latitude said.

“Latitude is continuing to respond to this attack and is doing everything in its power to contain the incident and prevent the theft of further customer data, including isolating and removing access to some customer-facing and internal systems.

“We are working with the Australian Cyber Security Centre, have alerted relevant law enforcement agencies and engaged several cyber security specialists to assist with Latitude’s response.”

These latest cyber incidents follow the high-profile cyber attacks at telco Optus and private health insurer Medibank (ASX: MPL) - the latter of which led to class action law suits on behalf of affected customers.

Four different class actions were launched against MediBank following a data security breach last year that resulted in the personal data of 9.7 million Australian customers being stolen by cyber criminals.

This includes a class action from international law firm Baker McKenzie, while three separate actions from Maurice Blackburn, Bannister Law and Centennial Lawyers were combined.

Optus meanwhile is not the subject of any formal class action law suit, however Maurice Blackburn and Slater & Gordon are both investigating the potential for legal action following the telco’s data breach in 2022.

The cyber attack of Optus exposed almost 10 million current and former customers to identity theft, and any class action could result in a large payout to those affected.

In early trade, shares in IPH are down 10.25 per cent to $7.55 per share.