Some things in life are so personal they’re not shared even with spouses –this is information for tax accountants and car salesmen only. Just ask Stratton Finance’s clients.
Secret car buyers’ business is like that. If there’s one thing the Melbourne-based auto finance broker promises its customers, it’s total discretion with the sensitive financial information provided in any loan application.
Stratton Finance: all customers in the data link were alerted by email and SMS. Arsineh Houspian
So, it’s unfortunate that ransomware hackers got into Stratton’s data and downloaded files containing details of some of its well-heeled clientele (CEO Rob Jones says it was 0.05 per cent of its clients). And it’s doubly unfortunate that in late April these files were uploaded to the dark web.
Awkwardly, it came just weeks after finance company Pepper Money committed to take a 65 per cent stake in Stratton for $78 million, which Jones says is still on track.
It must make for some curious Melbourne drivers: which of Stratton’s clients are in the data?
It’s not just that the files contain the usual Know Your Customer documents – copies of passports, driver’s licences and other documents, as well as loan contracts.
Stratton gets more personal than that. The data includes some 200-odd income tax returns of clients (with some duplicates and with Tax File Numbers blanked out). This is information that some business leaders never show their life partners, but it’s different when it comes to buying a motor.
Submitting your signed tax return seems a little over the top if you want to buy a second-hand Honda. One client, for example, earned $1 million.
Perhaps these taxpayers were seeking more upmarket transport. You can pick up a base model Ferrari for $410,000, for example. A Rolls-Royce can be seven figures.
Life has hard-luck stories. One client’s return showed gross income of nearly $500,000, but deductions reduced him to struggling along on a taxable income of only $40,000.
It looks like a legal fight with the Tax Office. More than $400,000 was deducted as the “cost of managing tax affairs” for work by legal firms Pitcher Partners, Clayton Utz and “management fees”.
Jones says that Stratton immediately notified clients by email and SMS, as well as the Office of Australian Information Commission – complying with all of its obligations under the Privacy Act, after all. It hired external security experts and set up a dedicated phone line and email for affected customers.
That’s all exemplary. But there’s an issue with horses and stable doors.
Last month, Justice Rofe in the Federal Court made a $750,000 costs order against RI Advice Group, a subsidiary of Insignia Financial (formerly IOOF) as part of an enforceable undertaking, finding that cyber risk management is a critical obligation for financial services firms.
That’s cold comfort for those Stratton clients affected. As for the aforementioned client fighting the Tax Office – at least he could recover most of the $190,000 tax he had already paid as PAYG deductions and instalments. And he’ll have a cracking new motor.
Follow the topics, people and companies that matter to you.
Fetching latest articles
The Daily Habit of Successful People