SYDNEY/BENGALURU — Australian consumer finance firm Latitude Group Holdings said hackers stole nearly 8 million Australian and New Zealand driver’s license numbers in one of the country’s biggest confirmed data breaches, sending its shares lower.

The provider of credit cards and personal loans for some of Australia’s biggest retailers added the cyber intruder also took about 53,000 passport numbers and more than 6 million customer records — mostly between 2005 and 2013, in what it called a “distressing development”.

These records include some but not all of the following personal information, such as name, address, telephone number and date of birth.

“It is hugely disappointing that such a significant number of additional customers and applicants have been affected by this incident. We apologize unreservedly,” Latitude Financial Services CEO Ahmed Fahour said.

“We continue to work around the clock to safely restore our operations. We are rectifying platforms impacted in the attack and have implemented additional security monitoring as we return to operations in the coming days.”

The update showed the attack, which temporarily froze Latitude’s operations, affected far more customers than first disclosed by the company on March 16, when it said criminals took 103,000 licenses.

It now ranks among the country’s biggest data thefts, behind only

Singapore Telecommunicationsowned No 2 telecoms Optus and medical insurer Medibank, which each said details of about 10 million customer accounts were compromised in attacks late last year.

Since a wave of data breaches that began with Optus, the Australian government has increased penalties for companies that fail to adequately protect customer data as part of an overhaul of the national cybersecurity strategy still underway.

“Cyberattacks are a growing threat and will become a more routine part of our lives for years to come, and this incident is another reminder of the importance of improving Australia’s cybersecurity and privacy settings,” Cyber Security Minister Clare O’Neil said.

“It remains our position that no customer should bear the cost of a data breach,” she added, noting Latitude was working with the authorities to manage the fallout of the attack.

Shares of Latitude closed down 2.5 percent in a flat overall market, as investors fretted that the company’s exposure may be worse than previously thought.

Latitude first reported the cyberattack on March 16, acknowledging that it resulted in the theft of over 300,000 customer documents. The attacker was believed to have used employee login credentials to steal the data that were held by the company’s service providers.