Genoapay and Gem cyberattack: Buy now pay later company says 225,000 customer records stolen

Latitude Financial said about 328,000 customer records and driver licence copies were stolen from two service providers. Image / Herald Network Graphic

More than 300,000 customer records and documents have been stolen in a cyberattack affecting New Zealand and Australian finance company customers.

Genoapay customers and people who previously applied for the buy now pay later company’s services were sent an email overnight from parent company Latitude Financial.

“We’re writing to you directly to update you on a recent cyberattack that Latitude Financial is actively responding to. Regrettably, the attack has resulted in the theft of some customer data,” Latitude’s chief operating officer Andrew Walduck wrote.

“The attacker appears to have stolen personal information that was held by two Latitude service providers, impacting customers across both Australia and New Zealand.”

The company said about 103,000 ID documents, more than 97 per cent of which were copies of drivers’ licences, were stolen from one service provider.

And about 225,000 customer records were stolen from a second service provider, Walduck added.

The email did not specify which providers were affected but Genoapay customers received the notice and the company also operates consumer finance company and lender Gem in New Zealand.

ASX-listed Latitude Financial Services owns Genoapay.

The attacker was reportedly able to obtain employee login credentials and steal the documents before the incident was isolated.

Business News Australia said Latitude Financial went into a trading halt before telling the ASX about a “sophisticated and malicious” cyber incident.

Walduck said the company would contact people directly if their personal information was disclosed.

“We are working with the relevant authorities and have engaged cybersecurity specialists as we continue to do everything in our power to contain the attack.”

Genoapay last month announced it was leaving New Zealand. It previously processed applications relying on information people provided.

Credit reports could disclose the frequency of credit applications, previous defaults, court actions, previous bankruptcies or unsatisfactory repayment information.

On February 17, Latitude announced a full-year net profit after tax of A$36.3 million ($39.1m) for the year to December 31.

That was 77 per cent down on the A$160.3m made in the previous financial year.

When it announced Genopay’s departure from New Zealand, the company said it would exit New Zealand on April 11.

Genopay had made the decision to close its buy now pay later offering in New Zealand and Australia after completing an extensive strategic review of the service, the company said.

Where to get help

• NZ Cert: Individuals, small businesses can report a cyberattack, get advice - www.cert.govt.nz
• IDCare: Backed by the Ministry of Justice and its counterpart in Australia. Assistance freezing your credit record, regaining control of your online identity after an ID theft - idcare.org
• Netsafe: Report online bullying, hate speech, dangerous content - netsafe.org.nz
• NZ Police - Report cybercrime online scams, online child safety issues - police.govt.nz/advice-services/cybercrime-and-internet
• Dept of Internal Affairs - Report spam, banned content, child exploitation - www.dia.govt.nz/About-the-Digital-Safety-Group