Consumer finance company Latitude Financial is refusing to pay a ransom to cyber criminals after millions of customers had their personal records stolen.

Latitude Financial on Tuesday said it would not reward criminal behaviour, nor did it believe coughing up ransom money would see customers’ stolen information returned or destroyed.

“Latitude will not pay a ransom to criminals,” company chief executive Bob Belan said.

“Based on the evidence and advice, there is simply no guarantee that doing so would result in any customer data being destroyed, and it would only encourage further extortion attempts on Australian and New Zealand businesses in the future.

“Our priority remains on contacting every customer whose personal information was compromised, and to support them through this process.”

About 7.9 million people had their driver’s licence details taken and about 53,000 passport numbers were stolen in the hack, which was detected last month.

Latitude also admitted an additional 6.1 million records dating back to at least 2005 were poached, including names, addresses, telephone numbers and dates of birth.

Fewer than 100 customers had a monthly financial statement stolen, the consumer finance company told the ASX in March.

The attackers laid out what data they stole as part of the ransom threat, and it was consistent with Latitude’s disclosure about how many customers were affected, the company said.

The Australian Federal Police is investigating the hack and Latitude is working with the Australian Cyber Security Centre and cyber security experts in its wake.

The company is in the process of contacting all customers whose information was compromised in the hack, outlining what was stolen and its plans for remediation.

Latitude has insurance policies to cover risks including cyber security risks and has notified insurers about the hack, the company said.

“Our teams have been focused on safely restoring our IT systems, bringing staffing levels back to full capacity, enhancing security protections and returning to normal operations,” Mr Belan said.

“I apologise personally and sincerely for the distress that this cyber attack has caused and I hope that in time we are able to earn back the confidence of our customers.”

The company has not detected suspicious activity in its systems since March 16.

Cyber Security Minister Clare O’Neil confirmed Latitude’s decision to reject the ransom demand was consistent with Australian government advice.

Cyber criminals cheated, lied and stole, and paying them only fuelled the ransomware business model, she said.

“They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals,” Ms O’Neil said on social media.

The minister wanted Australia to be the most cyber-secure country in the world by 2030, and Australians had to deny hackers any profits from their crimes in order to achieve that, she said.

– AAP