Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:55 PM
Connect Directly

Up to 100,000 Reported Affected in Landmark White Data Breach

Australian property valuation firm Landmark White exposed files containing personal data and property valuation details.

LandMark White (LMW), a commercial and residential property valuation firm based in Australia, was discovered to be exposing troves of consumer data via an unprotected online service.

The data appears to contain 57,000 client invoices with names, addresses, phone numbers, and email addresses, along with full property valuation notes, banking data, and other details typically included in property valuations, says Hack Notice founder Steve Thomas.

A report from the Sydney Morning Herald states up to 100,000 people may have been involved in the incident. However, each invoice could contain multiple people, which Thomas says could account for the discrepancy. There were also scans of signed contracts, which could have additional parties involved, and identities of agents were leaked — another number not included in the invoice count.

Hack Notice, a data breach notification service, regularly conducts reconnaissance and gathers threat intelligence to see what hackers are posting. Researchers discovered files containing LMW data on a Dark Web server and began indexing the information so they could alert clients. They soon learned the pool of data they were analyzing had more data than they thought.

"As we were looking, we started to get more concerned," Thomas explains. "[There were] 57,000 people who had recently purchased a home or were about to purchase a home, which is a time hackers really like to commit fraud."

The data was reportedly exposed from an internal file service at LandMark White, which may have set it up to facilitate information-sharing between agents and clients, he continues. A source says the web service did not require authentication, rendering the data vulnerable. Thomas explains there was a collection script in the Dark Web server that hackers could have used to collect the information, which they posted and shared via an Onion link.

As for the information exposed, some of the earliest files go back to 2015, Thomas says. The most recent dates go up to January 25, 2019. From what researchers can tell based on current findings, the data downloaded from the exposed service is all data from the past five years.

"This looks like it's been replicated from the company's site," says Troy Hunt, Microsoft regional director and creator of HaveIBeenPwned. "It looked like HTML pages, [which] would imply someone has had access to an interface somewhere." It seems someone gained access to an internal system, made requests, saved responses, and posted them, he explains. This data didn't come from a database; it was scraped from a website or portal.

Files show the service exposing the data has been shut down, and the hacker who posted the data took the server down this weekend. They posted a message stating they planned to update with a new Dark Web server; however, they have yet to do so.

Details, Ties, and Implications
While that pool of clients is not insignificant, researchers are still working to ascertain the total number of people affected. Hack Notice reports 5 million files exposed. "It really is a wealth of information," Thomas adds. "We've been looking at those records trying to figure out the amount of risk clients would face."

Commonwealth Bank of Australia (CBA), Australia's biggest lender, as well as ANZ Bank, have both suspended LMW from their panels of valuers, the SMH report explains. "The customer information that was disclosed relates directly to the valuations completed by LandMark White and includes customer name; contact details such as phone or email address; and details about the valued property," CBA officials said in a statement.

CBA states no bank account information has been disclosed but is in the process of contacting more than 20,000 customers to share what happened. ANZ is still working to determine how its clients are affected, though as of now it appears to be "a very small percentage of customers" who had valuations done between November 2015 and December 2018, the bank reports.

This is limited to a small number of people, Thomas says, but it's a "very concerning" event for those affected. After all, buying a home is among the largest purchases anyone undertakes. Further, the buying and selling of real estate is a major business for cybercriminals, he adds. Those whose information was exposed are vulnerable to phishing campaigns and wire fraud.

"We don't know how it's been used, or if it's been used, but data like this is a fairly lucrative price for a hacker if they're looking to commit fraud," he notes.

LMW has hired external security firms to launch an investigation. "We are working closely with experts in IT and cybersecurity as well as our corporate partners, to achieve the best possible outcome for our clients," LandMark White chief executive Chris Coonan said in a statement.

LMW has updated its FAQ page to disclose information on the breach. While its investigation is onoing, it reports the exposed dataset did contain property valuation and some personal contact info of borrowers, lenders, homeowners, residents, and property agents, including first and last names, residential address, and contact numbers. Data also includes commentary about the property, relevant to its overall valuation. It does not include loan application details or financial or identity documents.

Hunt says he doesn't see a relationship between this breach and other security incidents; this is likely standalone. "It's yet another trove of data floating around," he adds. He also doesn't see a connection between this incident and LMW's October 2018 acquisition of Taylor Byrne.

However, he does warn companies to be cautious when entering into M&A agreements. In many cases, data breaches become apparent only after the acquisition has been finalized and due diligence completed. While the breach is usually coincidental and unrelated to the purchase, it should be top of mind for businesses buying other companies.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/13/2019 | 1:34:13 PM
Now whoever came up with this brilliant logic should be fired on the spot.  I can see no reason to believe that no aiuthentication is a good thing.  Incredible really.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...