Firstmac Limited (Loans.com.au) - Cyber Incident

CodeXD on 11/05/2024 - 09:12
Last edited 11/05/2024 - 09:24

Another Day Another Data Breach

We are writing to advise you of a cyber incident that occurred at Firstmac Limited (Firstmac), a business partner of loans.com.au, that impacts you. Firstmac is a provider of loans, mortgage financing and advisory services, and holds personal information about you in connection with the products provided to you by loans.com.au.

What has happened?

Firstmac recently experienced a cyber incident where an unauthorised third party accessed a part of our IT system. As soon as we detected the incident, we took steps to immediately secure our system. We also engaged cyber security experts to assist us with our investigation.

Unfortunately, our investigation has identified that an unauthorised third party has accessed some customer information.

What information has been impacted?

We have conducted a comprehensive review of the impacted files and have identified the following personal information relating to you:

  • Name
  • Contact Information (residential address, email address and/or phone number)
  • Date of Birth
  • External bank account information (BSB and account number only)
  • Driver’s licence number

You are receiving this email because you are a current or former customer of loans.com.au.

As explained further below, if you are a current customer, there is no evidence of impact to your loans.com.au account and your funds are secure.

It is important to note that our systems are secure. We already have robust security processes in place for any account access changes, which will require you to confirm your identity using either Biometrics or Two Factor Authentication.

There is a lot more in the email, but that is the gist of it.

News article on it
https://www.google.com/amp/s/amp.9news.com.au/article/8c651e…

Financial Data Breach

Related Stores

Loans.com.au
Loans.com.au

Comments

  • Sye on 11/05/2024 - 09:18
    +12

    It has been 0 days since a Data Breach.

  • inherentchoice on 11/05/2024 - 09:30
    +8

    Why do they even need to keep licence number on file? After identity verification can't they delete that?

    • mskeggs on 11/05/2024 - 09:38
      +2

      There is no personal right of action for privacy (you can’t sue unless you can show additional damages), and the government is beholden to big business so they won’t do anything to enforce the lax penalties in place.
      Compare to worker safety, where as soon as company directors became liable, workplace safety became much, much better swiftly.

    • brendanm on 11/05/2024 - 12:14
      +1

      Can't sell your details if they delete them.

      • barge-in hunter on 11/05/2024 - 12:48
        +6

        What’s worse is there’s no “right to be forgotten” - so even if you’ve closed your account and specifically requested a company delete your data, they don’t have to… which means they don’t

  • MrThing on 11/05/2024 - 09:38

    they cant bring in a compulsory national ID service for all identity related services for the private sector quick enough ><

    private sector cant be trusted to hold personal ID documents as is shown day after week after month after year

    The less fingers gathering their own personal data information from customers the better

    • mskeggs on 11/05/2024 - 09:41
      +1

      Why would you have faith that a central government honeypot is more secure? Have you never used a government IT system?
      They could design a system to be privacy respecting, but there is absolutely no indication that the merest flicker of interest in doing so has crossed the mind of the government.

      • MrThing on 11/05/2024 - 09:59

        Why would you have faith that a central government honeypot is more secure? Have you never used a government IT system?

        because private sector has soooooooooooooooo much more ability to keep your private data safe for a phone plan you bought 10 years ago

        They could design a system to be privacy respecting, but there is absolutely no indication that the merest flicker of interest in doing so has crossed the mind of the government.

        wrong, https://www.abc.net.au/news/2024-04-01/government-backed-dig…

        • mskeggs on 11/05/2024 - 10:03
          +2

          Have you used the MyGovID system? Note it is not the myGov system used by Centrelink and Medicare.
          It is not a reassuring system.

          • MrThing on 11/05/2024 - 10:09

            @mskeggs: yes I use the mygovID system and its fine. soon as I was verified no more bs of inputting or providing ID documents

            imagine if when applying for a bank account, credit card, home loan all they did to verify your identity was confirm a mygovID code on your phone…..instead of store 100pts of your personal ID documents for eternity to eventually be stolen

            • mskeggs on 11/05/2024 - 10:34
              +1

              @MrThing: There are several issues with the government centralized ID that concern me.
              The first is I don’t have any faith in the government securing this data, and while you can say business is worse, and I agree, I am looking for improvements - not simply accepting government assurances they will do a good job. Historically, the government has been prevented from unifying ID information because it becomes a valuable target.
              Secondly, the centralized ID makes it trivial to surveil people for new purposes. Again, you could argue Google and Facebook already do a lot of this, but there is a step change when it is the government with law making abilities and a police force doing the surveillance. This is a slippery slope argument, but probably feels quite real to somebody seeking an abortion in Arkansas who also might have assumed the government had no business surveiling them a few years ago.
              The system could be designed and regulated to provide for privacy.
              For example, the government does not need to know I am applying for a credit card. An identity verification request can be conducted anonymously using PKI, much like SSL works in a web browser, can be done in a federated fashion so that one entity does not have to hold all the data in one place, and can occur without one entity being able to record the transaction.

              The government’s legislation is very much a “trust us” step, is optional, unless you want to access the services where it is compulsory, and has no reason to believe it will be taken up (do you still use your myPostID?).
              Registering is cumbersome, and will be beyond the half of the population most vulnerable to being a victim, and the benefits are slim.

              The best it can do is maybe mean some government orgs won’t keep a separate store of personal details, perhaps. And maybe private enterprise will want to spend time and money supporting this option, understanding they still need to maintain other options, and will be publicly shamed if they sign up but are found to have subpar systems.

              I understand politics means the perfect is the enemy of good, but too much has been traded away to make this proposed system even good.

              • MrThing on 11/05/2024 - 11:07

                @mskeggs: I have far more faith in a central government agency to provide ID security (they have a vested interest in ID security) vs a private company who everything is a race to the bottom and everything is for sale

                regarding the big man knowing what I am applying for never really bothered me. If you are on social media, have a google account, etc - all your private thoughts and dreams are already public domain for those companies to sell. Horse has bolted

                mypostID

                no idea what that is, never used it

                • mskeggs on 11/05/2024 - 20:26

                  @MrThing: I’ve been involved in a lot of government ICT projects. I agree the government wants to do the right thing, I don’t have any faith they will succeed, and they have track record of failure.
                  I can’t put it any differently, this is hard stuff, they need to perform exquisitely to get a positive outcome.
                  It is not the case that the only options are the current mess of hopeless private sector failure, or a central government project that will almost undoubtedly fail for any of a plethora of reasons.

                  My very strong prediction is we will have the same hopeless mess of private sector failure in five years, plus a mess of a government attempt that fails and costs a bomb.
                  What will be revealed by then is if the government project is a failure because it is unused and irrelevant, or it gets some use and fails for other reasons.

                  Let’s compare in May 29 and see.

              • star-ggg on 11/05/2024 - 21:22
                +1

                @mskeggs: The Snowden leaks demonstrated all governments collect and store as much about you as they want. It's all legal when "national security" is involved.

            • brendanm on 11/05/2024 - 12:17
              +3

              @MrThing: +10 social credits for defending mygovid. Thank you for your service.

          • 2esc on 12/05/2024 - 20:34

            @mskeggs: MyGovID system i found a complete waste of time it just goes in circles i couldnt get it to work.

    • DingoBilly on 11/05/2024 - 14:35
      +1

      Need to make it from a government perspective imo.

      People shit on government all day long but it's far more robust and secure than anything the private sector does. It's hilarious the amount of data people put into a private company that has been lost but they're not comfortable with the same for government.

      Having worked for both, government takes it far more seriously and takes far more precautions with your data.

      • star-ggg on 11/05/2024 - 21:30

        I trust a government COBOL server in a 1950s bunker to hold my data more securely than a company using the latest trendy database management system in the cloud that's accessible by every outsourced customer service representative and managed IT service.

      • Grunntt on 12/05/2024 - 09:53

        How about when they just hand over your personal (identified) data to a third party?
        Dept of Veterans Affairs hands over data

        Paywalled so here's a brief quote -

        "Identified medical records belonging to 300,000 veterans, widows and others connected to the Department of Veterans’ Affairs have been routinely provided to a university for cost-saving research without the knowledge or consent of the people involved.

        The practice, ostensibly to deliver the Veterans’ Medicines Advice and Therapeutics Education Services (MATES) program, has been running for almost two decades, but the Department of Veterans’ Affairs (DVA) has, at least since 2017, wilfully ignored concerns raised by veterans who discovered only by accident that their sensitive data was being given to a third party.

        In the six years since a complaint was made by a former serviceman, the department has refused to halt the data handover, asserting it was within its rights to do what it wanted with the medical records and did not need the consent of its clients to continue the program."

      • Grunntt on 12/05/2024 - 09:58

        One example of how robust Government data protection is (there's also a couple of more references to Gov't data issues at this link too) -

        MyGov

        BTW if you if want to check out a decent listing of breaches by year -

        Aust Data Breaches

  • echelon6 on 11/05/2024 - 11:16
    +4

    Disappointing. Left them around 10 years ago and they still keeping my licence number? dafuq you call that.

    Class suit now.

  • gstfree on 11/05/2024 - 15:15

    From the recent Medibank, Optus IT leak incident, it seems there is no cost of such incident.

  • Worf on 11/05/2024 - 17:24

    Did you guys hear about the clubs nsw data breach
    https://www.canberratimes.com.au/story/8613892/nsw-police-in…

    Ridiculous that your local club retains your data!

    • Grunntt on 12/05/2024 - 10:21

      Even better when a business leaves a password-free database readily accessible even after being informed about it and the researcher then says -
      "The law firm representing Smoke Alarm Solutions has stated “Based on the circumstances of the alleged incident as instructed by our client, the alleged incident does not, in our view, constitute a notifiable data breach under the Act, and therefore our client is not required to notify either the authorities or any individual about such alleged incident"”.

      Smoke Alarm Solutions

      If you are contracted with them it would be wise to take a very close look at any invoices etc that you receive in the future.

  • Grunntt on 12/05/2024 - 09:43

    Firstmac recently experienced a cyber incident where an unauthorised third party accessed a part of our IT system….
    ….our investigation has identified that an unauthorised third party has accessed some customer information.

    It is important to note that our systems are secure. We already have robust security processes in place

    Do they not see that they are publishing blatantly contradictory statements?

    Sorry, but I see no reason to believe their systems are secure and have robust security processes.

  • thatfastnot on 13/05/2024 - 10:04
    +1

    Picture yourself as a ""hacker"" going after private business Data. Sometimes you score, but if everything's centralized, all these hackers will be out of work. Yeah, about 80 % might throw in the towel 'cause the government system's tough to crack, but these 20 % will give it a burl (bigger budget hackers). They'll try everything from social engineering to knowing a government insider or straight-up hacking. Once they crack it, it's game over!

Login or Join to leave a comment
Login Join