(Reuters) -Australian consumer finance firm Latitude Group Holdings Ltd said hackers stole nearly 8 million Australian and New Zealand drivers licence numbers in one of the country's biggest confirmed data breaches, sending its shares lower.
The provider of credit cards and personal loans for some of Australia's biggest retailers added the cyber intruder also took about 53,000 passport numbers and more than 6 million customer records, mostly from between 2005 and 2013, in what it called a "distressing development".
The update showed the attack which temporarily froze Latitude's operations affected far more customers than first disclosed by the company on March 16, when it said criminals took 103,000 licences.
It now ranks among the country's biggest data thefts, behind only Singapore Telecommunications Ltd-owned No. 2 telco Optus and medical insurer Medibank Private Ltd which each said details of about 10 million customer accounts were compromised in attacks late last year.
Since a wave of data breaches began with Optus, the Australian government has increased penalties for companies which fail to adequately protect customer data as part of an overhaul of the national cyber security strategy still underway.
"Cyber attacks are a growing threat and will become a more routine part of our lives for years to come, and this incident is another reminder of the importance of improving Australia’s cyber security and privacy settings," said Cyber Security Minister Clare O'Neil.
"It remains our position that no customer should bear the cost of a data breach," she added, noting Latitude was working with the authorities to manage the fallout of the attack.
Shares of Latitude closed down 2.5% in a flat overall market, as investors fretted that the company's exposure may be worse than previously thought.
"Whenever investors hear of a data breach, they tend to assume the worst," said Matt Simpson, senior market analyst at City Index.
Latitude said in a statement its insurance covered cyber-security risks.
"We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days," CEO Ahmed Fahour said in the statement.
(Reporting by Byron Kaye in Sydney and Navya Mittal in Bengaluru; Editing by Tom Hogue, Muralikumar Anantharaman, Sherry Jacob-Phillips and Sonali Paul)