Almost 330,000 customer records and identification documents have been stolen from an Australian financial company that has used Hollywood star Alec Baldwin in its advertising.
Latitude Financial says it appears to have been hit by a sophisticated and malicious cyber attack, originating from a major vendor.
It believes criminals accessed an employee's log-in credentials and stole customer information from two service providers.
About 103,000 identification documents appear to have been stolen from one provider, believed to be mostly driver licences.
A further 225,000 customer records were stolen from the second provider.
Latitude offers loans, insurance and credit cards. It inked a 10-year deal to provide credit cards to David Jones customers in January, after the department store retailer's contract with American Express ended.
The company also has agreements with JB Hi-Fi, The Good Guys, Harvey Norman and other retailers.
Latitude has apologised and is contacting affected customers.
"Our priorities are to ensure the ongoing security of our customers, our employees and our partners while continuing to deliver services," the company's listed holding company told the Australian Stock Exchange.
Some customer-facing and internal systems have been removed in an attempt to stop more data being taken.
It's one of the first major hacks on a financial services company in Australia, which makes it significant, according to UNSW Associate Professor Rob Nicholls.
"What is it about Latitude's supply chain and business model that it relies so heavily on service providers that don't have adequate cyber security?" he told AAP.
Monash University Professor Nigel Phair said because banking and finance were Australia's most important critical infrastructure sectors, it was vital organisations put extra effort into security.
"It is disappointing, yet unsurprising," he said, stressing many attacks could be traced back to third-party breaches.
"Until all Australian companies prioritise risk management of their online assets this will continue."
Latitude Group Holdings Ltd has been placed in a trading halt.
Three weeks ago the company revealed it would end its buy-now-pay-later scheme in Australia and New Zealand, which has been used by about half a million customers.
Meanwhile, intellectual property services group IPH has also been impacted by a cyber security incident.
The listed company detected unauthorised access to "a portion of its IT environment" on Monday, it told the stock exchange.
It's believed to have affected the document management system used in its head office.
Two firms it works with have also been caught up in the incident, potentially impacting client documents, information and other case details.
Associate Professor Nicholls said the two incidents highlighted the importance of governance within a supply chain but motives behind them were likely very different.
"A discussion with a patent attorney as to what a patent should look like before it's even filed could be incredibly valuable as intellectual property on its own, but is very different from stealing 100,000 driver's licences," he said.
There have been a series of high-profile cyber attacks in Australia during the past 12 months that targeted multiple companies, including Optus and Medibank.
Australian Associated Press
Sign up for our newsletter to stay up to date.