Latitude Group has warned its half-year and full-year profits are expected to fall substantially in the wake of the company’s recent cyber attack, in which almost 8 million drivers’ licence numbers and 14 million records were stolen.
In an update provided to the ASX on Friday, Latitude said the lost income and higher credit losses resulting from the cyber attack would impact its cash and statutory profit.
“While Latitude was able to continue processing transactions as it responded to the March cyber-attack, new account originations and collections were closed or severely restricted for a period of approximately five weeks,” the company said.
Latitude indicated its cash net profit after tax (NPAT) for the half year to 30 June, is expected to sit in the range of $5–10 million, down from $93 million in the same period a year earlier.
“Latitude had anticipated some normalisation in loss ratios across its portfolio, however the cyber-attack has materially worsened this trend due to lost collections activity,” it said.
Cash NPAT for the full year is expected to be in the range of $15–25 million, compared to $153.5 million in the previous financial year, due to the reduced first half earnings, the flow-on effect of a lower receivables base and the temporary impact on collections.
Latitude also flagged a statutory loss after tax of $95–105 million for the half, given the direct impact of the attack on its operations, an increase in credit provisions and a provision for costs and remediation. The company has also forecast a full-year statutory loss.
As a result, Latitude said it is unlikely to declare an interim dividend for the first half.
After undertaking an extensive review, the company also indicated it would make a provision for costs associated with the cyber attack.
“While the range of potential outcomes is large and there are many unknowns, the board anticipates it will recognise approximately $53 million after tax in 1H23, which includes both costs incurred and a provision of $46 million after tax,” it said.
“This provision is made up largely of remediation costs but does not include the potential for regulatory fines, class actions, future system enhancements or an assumption of insurance proceeds.”
Latitude noted the attack remains under investigation by the Australian Federal Police and said it was continuing to cooperate with the Australian Information Commissioner and New Zealand Office of The Privacy Commissioner as part of their investigations.
“Extensive further enquiries from regulators are expected over the coming months,” Latitude said.
Regular commercial operations have now been “fully restored” and no suspicious activity has been observed on the company’s systems since 16 March, the date on which Latitude originally disclosed what it believed to be a “sophisticated and malicious cyber attack”.
At the time, Nigel Phair, a professor of practice at Monash University’s Department of Software Systems & Cybersecurity, said it was “disappointing, yet unsurprising” to see another Australian organisation suffer a cyber attack and subsequent data breach.
“Until all Australian companies prioritise risk management of their online assets, this will continue,” he said.
“This attack also highlights that many intrusions into organisations occur through trusted third-party organisations who themselves often do not prioritise cyber security risk management.”
The attack on Latitude Financial followed other high profile cyber attacks on Optus and Medibank last year which compromised the personal details of millions of Australians.
