LandMark White (LMW), a commercial and residential property valuation firm based in Australia, was discovered to be exposing troves of consumer data via an unprotected online service.
The data appears to contain 57,000 client invoices with names, addresses, phone numbers, and email addresses, along with full property valuation notes, banking data, and other details typically included in property valuations, says Hack Notice founder Steve Thomas.
A report from the Sydney Morning Herald states up to 100,000 people may have been involved in the incident. However, each invoice could contain multiple people, which Thomas says could account for the discrepancy. There were also scans of signed contracts, which could have additional parties involved, and identities of agents were leaked — another number not included in the invoice count.
Hack Notice, a data breach notification service, regularly conducts reconnaissance and gathers threat intelligence to see what hackers are posting. Researchers discovered files containing LMW data on a Dark Web server and began indexing the information so they could alert clients. They soon learned the pool of data they were analyzing had more data than they thought.
"As we were looking, we started to get more concerned," Thomas explains. "[There were] 57,000 people who had recently purchased a home or were about to purchase a home, which is a time hackers really like to commit fraud."
The data was reportedly exposed from an internal file service at LandMark White, which may have set it up to facilitate information-sharing between agents and clients, he continues. A source says the web service did not require authentication, rendering the data vulnerable. Thomas explains there was a collection script in the Dark Web server that hackers could have used to collect the information, which they posted and shared via an Onion link.
As for the information exposed, some of the earliest files go back to 2015, Thomas says. The most recent dates go up to January 25, 2019. From what researchers can tell based on current findings, the data downloaded from the exposed service is all data from the past five years.
"This looks like it's been replicated from the company's site," says Troy Hunt, Microsoft regional director and creator of HaveIBeenPwned. "It looked like HTML pages, [which] would imply someone has had access to an interface somewhere." It seems someone gained access to an internal system, made requests, saved responses, and posted them, he explains. This data didn't come from a database; it was scraped from a website or portal.
Files show the service exposing the data has been shut down, and the hacker who posted the data took the server down this weekend. They posted a message stating they planned to update with a new Dark Web server; however, they have yet to do so.
Details, Ties, and Implications
While that pool of clients is not insignificant, researchers are still working to ascertain the total number of people affected. Hack Notice reports 5 million files exposed. "It really is a wealth of information," Thomas adds. "We've been looking at those records trying to figure out the amount of risk clients would face."
Commonwealth Bank of Australia (CBA), Australia's biggest lender, as well as ANZ Bank, have both suspended LMW from their panels of valuers, the SMH report explains. "The customer information that was disclosed relates directly to the valuations completed by LandMark White and includes customer name; contact details such as phone or email address; and details about the valued property," CBA officials said in a statement.
CBA states no bank account information has been disclosed but is in the process of contacting more than 20,000 customers to share what happened. ANZ is still working to determine how its clients are affected, though as of now it appears to be "a very small percentage of customers" who had valuations done between November 2015 and December 2018, the bank reports.
This is limited to a small number of people, Thomas says, but it's a "very concerning" event for those affected. After all, buying a home is among the largest purchases anyone undertakes. Further, the buying and selling of real estate is a major business for cybercriminals, he adds. Those whose information was exposed are vulnerable to phishing campaigns and wire fraud.
"We don't know how it's been used, or if it's been used, but data like this is a fairly lucrative price for a hacker if they're looking to commit fraud," he notes.
LMW has hired external security firms to launch an investigation. "We are working closely with experts in IT and cybersecurity as well as our corporate partners, to achieve the best possible outcome for our clients," LandMark White chief executive Chris Coonan said in a statement.
LMW has updated its FAQ page to disclose information on the breach. While its investigation is onoing, it reports the exposed dataset did contain property valuation and some personal contact info of borrowers, lenders, homeowners, residents, and property agents, including first and last names, residential address, and contact numbers. Data also includes commentary about the property, relevant to its overall valuation. It does not include loan application details or financial or identity documents.
Hunt says he doesn't see a relationship between this breach and other security incidents; this is likely standalone. "It's yet another trove of data floating around," he adds. He also doesn't see a connection between this incident and LMW's October 2018 acquisition of Taylor Byrne.
However, he does warn companies to be cautious when entering into M&A agreements. In many cases, data breaches become apparent only after the acquisition has been finalized and due diligence completed. While the breach is usually coincidental and unrelated to the purchase, it should be top of mind for businesses buying other companies.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.