Almost 330,000 customer records and identification documents have been stolen from Latitude Financial.
The company says it appears to have been hit by a sophisticated and malicious cyber attack, originating from a major vendor.
It believes criminals accessed an employee's log-in credentials, then stole customer information from two service providers.
About 103,000 identification documents appear to have been stolen from one provider, believed to be mostly driver's licences.
A further 225,000 customer records were stolen from the second provider.
Hollywood star Alex Baldwin used to appear in advertisements for the company, which offers loans, insurance and credit cards.
It inked a 10-year deal to provide credit cards to David Jones customers in January, after the department store retailer's contract with American Express ended.
It also has agreements with JB Hi-Fi, The Good Guys, Harvey Norman and other retailers.
Latitude has apologised and is contacting affected customers.
"Our priorities are to ensure the ongoing security of our customers, our employees and our partners while continuing to deliver services," the company's listed holding company told the Australian Stock Exchange on Thursday.
Some customer-facing and internal systems have been removed in an attempt to stop more data from being taken.
It's one of the first major hacks on a financial services company in Australia which makes it significant, according to UNSW Associate Professor Rob Nicholls.
"What is it about Latitude's supply chain and business model that it relies so heavily on service providers that don't have adequate cyber security?" he told AAP.
Latitude Group Holdings Ltd is in a trading halt until Monday.
Three weeks ago the company revealed it would end its buy-now-pay-later scheme in Australia and New Zealand, which has been used by about half a million customers.
Meanwhile, intellectual property services group IPH has also been impacted by a cyber security incident.
The listed company detected unauthorised access to "a portion of its IT environment" on March 13, it told the stock exchange on Thursday.
It's believed to have impacted the document management system used in its head office.
Two firms that it works with have also been caught up in the incident, potentially impacting client documents, information and other case details.
Associate Professor Nicholls said the two incidents highlight the importance of governance within a supply chain but motives behind them were likely very different.
"A discussion with a patent attorney as to what a patent should look like before it's even filed could be incredibly valuable as intellectual property on its own, but is very different from stealing 100,000 driver's licences," he said.
It comes after a series of high-profile cyber attacks in Australia over the past 12 months which targeted multiple companies, including Optus and Medibank.