Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:55 PM
Connect Directly

Up to 100,000 Reported Affected in Landmark White Data Breach

Australian property valuation firm Landmark White exposed files containing personal data and property valuation details.

LandMark White (LMW), a commercial and residential property valuation firm based in Australia, was discovered to be exposing troves of consumer data via an unprotected online service.

The data appears to contain 57,000 client invoices with names, addresses, phone numbers, and email addresses, along with full property valuation notes, banking data, and other details typically included in property valuations, says Hack Notice founder Steve Thomas.

A report from the Sydney Morning Herald states up to 100,000 people may have been involved in the incident. However, each invoice could contain multiple people, which Thomas says could account for the discrepancy. There were also scans of signed contracts, which could have additional parties involved, and identities of agents were leaked — another number not included in the invoice count.

Hack Notice, a data breach notification service, regularly conducts reconnaissance and gathers threat intelligence to see what hackers are posting. Researchers discovered files containing LMW data on a Dark Web server and began indexing the information so they could alert clients. They soon learned the pool of data they were analyzing had more data than they thought.

"As we were looking, we started to get more concerned," Thomas explains. "[There were] 57,000 people who had recently purchased a home or were about to purchase a home, which is a time hackers really like to commit fraud."

The data was reportedly exposed from an internal file service at LandMark White, which may have set it up to facilitate information-sharing between agents and clients, he continues. A source says the web service did not require authentication, rendering the data vulnerable. Thomas explains there was a collection script in the Dark Web server that hackers could have used to collect the information, which they posted and shared via an Onion link.

As for the information exposed, some of the earliest files go back to 2015, Thomas says. The most recent dates go up to January 25, 2019. From what researchers can tell based on current findings, the data downloaded from the exposed service is all data from the past five years.

"This looks like it's been replicated from the company's site," says Troy Hunt, Microsoft regional director and creator of HaveIBeenPwned. "It looked like HTML pages, [which] would imply someone has had access to an interface somewhere." It seems someone gained access to an internal system, made requests, saved responses, and posted them, he explains. This data didn't come from a database; it was scraped from a website or portal.

Files show the service exposing the data has been shut down, and the hacker who posted the data took the server down this weekend. They posted a message stating they planned to update with a new Dark Web server; however, they have yet to do so.

Details, Ties, and Implications
While that pool of clients is not insignificant, researchers are still working to ascertain the total number of people affected. Hack Notice reports 5 million files exposed. "It really is a wealth of information," Thomas adds. "We've been looking at those records trying to figure out the amount of risk clients would face."

Commonwealth Bank of Australia (CBA), Australia's biggest lender, as well as ANZ Bank, have both suspended LMW from their panels of valuers, the SMH report explains. "The customer information that was disclosed relates directly to the valuations completed by LandMark White and includes customer name; contact details such as phone or email address; and details about the valued property," CBA officials said in a statement.

CBA states no bank account information has been disclosed but is in the process of contacting more than 20,000 customers to share what happened. ANZ is still working to determine how its clients are affected, though as of now it appears to be "a very small percentage of customers" who had valuations done between November 2015 and December 2018, the bank reports.

This is limited to a small number of people, Thomas says, but it's a "very concerning" event for those affected. After all, buying a home is among the largest purchases anyone undertakes. Further, the buying and selling of real estate is a major business for cybercriminals, he adds. Those whose information was exposed are vulnerable to phishing campaigns and wire fraud.

"We don't know how it's been used, or if it's been used, but data like this is a fairly lucrative price for a hacker if they're looking to commit fraud," he notes.

LMW has hired external security firms to launch an investigation. "We are working closely with experts in IT and cybersecurity as well as our corporate partners, to achieve the best possible outcome for our clients," LandMark White chief executive Chris Coonan said in a statement.

LMW has updated its FAQ page to disclose information on the breach. While its investigation is onoing, it reports the exposed dataset did contain property valuation and some personal contact info of borrowers, lenders, homeowners, residents, and property agents, including first and last names, residential address, and contact numbers. Data also includes commentary about the property, relevant to its overall valuation. It does not include loan application details or financial or identity documents.

Hunt says he doesn't see a relationship between this breach and other security incidents; this is likely standalone. "It's yet another trove of data floating around," he adds. He also doesn't see a connection between this incident and LMW's October 2018 acquisition of Taylor Byrne.

However, he does warn companies to be cautious when entering into M&A agreements. In many cases, data breaches become apparent only after the acquisition has been finalized and due diligence completed. While the breach is usually coincidental and unrelated to the purchase, it should be top of mind for businesses buying other companies.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/13/2019 | 1:34:13 PM
Now whoever came up with this brilliant logic should be fired on the spot.  I can see no reason to believe that no aiuthentication is a good thing.  Incredible really.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...