Latitude Financial Services, Australia's biggest non-bank lender, has revealed that the extent of a data breach it suffered earlier this month is more significant than initially estimated.

The company initially reported that the number of impacted customers was 328,000, but now confirmed that the real number of affected individuals is 14 million, including customers, past customers and applicants across Australia and New Zealand.

In the incident, which took place on March 15, 2023, a threat actor stole an employee's login to breach two of the company's service providers holding Latitude's customer data. Following the attack Latitude shut down customer-facing services and launched an investigation to determine the full scope of the breach. Initially, the company said that the incident affected over 300,000 customer records, mostly driver’s licenses.

In an update posted on its website Latitude said that stolen data includes 7.9m Australian and New Zealand driver’s license numbers, 53,000 passport numbers, and financial statements, and around 6.1 million records dating back to at least 2005. The records include names, addresses, phone numbers and dates of birth.

The Australian Federal Police, which is investigating the breach, said that there’s no evidence so far that the stolen data was leaked online or put up for sale on dark web markets.