Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:55 PM
Connect Directly

Up to 100,000 Reported Affected in Landmark White Data Breach

Australian property valuation firm Landmark White exposed files containing personal data and property valuation details.

LandMark White (LMW), a commercial and residential property valuation firm based in Australia, was discovered to be exposing troves of consumer data via an unprotected online service.

The data appears to contain 57,000 client invoices with names, addresses, phone numbers, and email addresses, along with full property valuation notes, banking data, and other details typically included in property valuations, says Hack Notice founder Steve Thomas.

A report from the Sydney Morning Herald states up to 100,000 people may have been involved in the incident. However, each invoice could contain multiple people, which Thomas says could account for the discrepancy. There were also scans of signed contracts, which could have additional parties involved, and identities of agents were leaked — another number not included in the invoice count.

Hack Notice, a data breach notification service, regularly conducts reconnaissance and gathers threat intelligence to see what hackers are posting. Researchers discovered files containing LMW data on a Dark Web server and began indexing the information so they could alert clients. They soon learned the pool of data they were analyzing had more data than they thought.

"As we were looking, we started to get more concerned," Thomas explains. "[There were] 57,000 people who had recently purchased a home or were about to purchase a home, which is a time hackers really like to commit fraud."

The data was reportedly exposed from an internal file service at LandMark White, which may have set it up to facilitate information-sharing between agents and clients, he continues. A source says the web service did not require authentication, rendering the data vulnerable. Thomas explains there was a collection script in the Dark Web server that hackers could have used to collect the information, which they posted and shared via an Onion link.

As for the information exposed, some of the earliest files go back to 2015, Thomas says. The most recent dates go up to January 25, 2019. From what researchers can tell based on current findings, the data downloaded from the exposed service is all data from the past five years.

"This looks like it's been replicated from the company's site," says Troy Hunt, Microsoft regional director and creator of HaveIBeenPwned. "It looked like HTML pages, [which] would imply someone has had access to an interface somewhere." It seems someone gained access to an internal system, made requests, saved responses, and posted them, he explains. This data didn't come from a database; it was scraped from a website or portal.

Files show the service exposing the data has been shut down, and the hacker who posted the data took the server down this weekend. They posted a message stating they planned to update with a new Dark Web server; however, they have yet to do so.

Details, Ties, and Implications
While that pool of clients is not insignificant, researchers are still working to ascertain the total number of people affected. Hack Notice reports 5 million files exposed. "It really is a wealth of information," Thomas adds. "We've been looking at those records trying to figure out the amount of risk clients would face."

Commonwealth Bank of Australia (CBA), Australia's biggest lender, as well as ANZ Bank, have both suspended LMW from their panels of valuers, the SMH report explains. "The customer information that was disclosed relates directly to the valuations completed by LandMark White and includes customer name; contact details such as phone or email address; and details about the valued property," CBA officials said in a statement.

CBA states no bank account information has been disclosed but is in the process of contacting more than 20,000 customers to share what happened. ANZ is still working to determine how its clients are affected, though as of now it appears to be "a very small percentage of customers" who had valuations done between November 2015 and December 2018, the bank reports.

This is limited to a small number of people, Thomas says, but it's a "very concerning" event for those affected. After all, buying a home is among the largest purchases anyone undertakes. Further, the buying and selling of real estate is a major business for cybercriminals, he adds. Those whose information was exposed are vulnerable to phishing campaigns and wire fraud.

"We don't know how it's been used, or if it's been used, but data like this is a fairly lucrative price for a hacker if they're looking to commit fraud," he notes.

LMW has hired external security firms to launch an investigation. "We are working closely with experts in IT and cybersecurity as well as our corporate partners, to achieve the best possible outcome for our clients," LandMark White chief executive Chris Coonan said in a statement.

LMW has updated its FAQ page to disclose information on the breach. While its investigation is onoing, it reports the exposed dataset did contain property valuation and some personal contact info of borrowers, lenders, homeowners, residents, and property agents, including first and last names, residential address, and contact numbers. Data also includes commentary about the property, relevant to its overall valuation. It does not include loan application details or financial or identity documents.

Hunt says he doesn't see a relationship between this breach and other security incidents; this is likely standalone. "It's yet another trove of data floating around," he adds. He also doesn't see a connection between this incident and LMW's October 2018 acquisition of Taylor Byrne.

However, he does warn companies to be cautious when entering into M&A agreements. In many cases, data breaches become apparent only after the acquisition has been finalized and due diligence completed. While the breach is usually coincidental and unrelated to the purchase, it should be top of mind for businesses buying other companies.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
2/13/2019 | 1:34:13 PM
Now whoever came up with this brilliant logic should be fired on the spot.  I can see no reason to believe that no aiuthentication is a good thing.  Incredible really.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.