(Updates with further details, analyst comments)
March 16 (Reuters) - Australian digital payments and lending firm Latitude Group Holdings said on Thursday a hacker had stolen personal information of around 328,000 customers held by two service providers through employee login credentials.
About 103,000 identification documents, more than 97% of which are copies of drivers' licences, were stolen from the first service provider, while about 225,000 customer records were stolen from the second service provider.
Latitude said it had detected unusual activity on its systems over the last few days originating from one of its "major" vendors, but did not disclose its identity.
"The attacker was able to obtain Latitude employee login credentials before the incident was isolated," the company said in an exchange filing.
Latitude, which provides consumer finance services to the country's major retailers including Harvey Norman and JB Hi-Fi, said it was attempting to contain the situation and stop the theft of additional consumer data.
The loans, credit card and insurance provider also said it was working with the Australian Cyber Security Centre and relevant authorities to investigate the attack.
Shares of the firm were halted as at 0250 GMT.
"While early days, there is undoubtedly going to be a short-term cost impact," analysts at Citigroup said in a note.
"Costs of A$10 million to A$15 million could be a reasonable estimate based on the respective size of businesses and customer bases, but could be mitigated by cyber insurance."
Latitude Group, owned nearly 64% by an entity controlled by KKR, has recently been focusing on attempts to reduce costs, including selling its Hallmark insurance business and also exiting the buy-now pay-later space in the Australia-New Zealand market.
Earlier in the day, intellectual property services provider IPH Ltd also flagged unauthorised access to a portion of its IT environment.
Australia has been hit by a slew of cyber attacks since late last year, with health insurer Medibank Private and Optus, the local unit of Singapore Telecommunications being the largest victims.
(Reporting by Upasana Singh and Rishav Chatterjee in Bengaluru; Editing by Devika Syamnath, Maju Samuel and Rashmi Aich)