LandMark White: Possible 'industry-wide' valuation firm data breach

Probably worth of it’s own topic: from the article:

Australia’s banks have started notifying customers that may have been caught up in an “industry-wide” data breach at an ASX-listed property valuation firm.

The incident at LandMark White was notified to the market on February 5 but appears to have gone largely unnoticed until a report by Fairfax Media late Tuesday.

Fairfax reported that CBA and ANZ had suspended use of LandMark White’s valuation services and that NAB was also considering its position.

ANZ is the only one of the big four banks to so far go public on its exposure to the data breach, confirming both the incident and its extent.

“We are currently undertaking investigations to understand specifically which ANZ customers may be affected and we will contact them directly to outline potential impacts and how we will support them,” ANZ chief data officer Emma Gray said in a statement.

“At this stage we understand a very small percentage of our customers who had valuations undertaken between November 2015 and December 2018 are potentially impacted.

“ANZ uses a range of property valuers and the organisation in question represents a very small portion of the valuations conducted.

“As a result of this incident ANZ has currently suspended use of the services of the valuation provider at the centre of the investigations.

“We have no reason to believe any of the other valuers ANZ uses are impacted by this incident.”

I sense a significant amount of ‘spin’ … more at the link below …

Referenced from the above link:

On Tuesday night Commonwealth Bank of Australia and ANZ Bank revealed they had suspended LandMark White from their panels of valuers while National Australia Bank said it was still assessing the impact on its customers. Westpac did not respond by deadline.

A well placed source said CBA was contacting more than 20,000 customers in the wake of the breach.

“As part of the data incident, customer information relating to property valuations was found hidden on the internet,” the bank, Australia’s biggest lender, said in a statement.

“The customer information that was disclosed relates directly to the valuations completed by LandMark White and includes customer name; contact details such as phone or email address; and details about the valued property.”

The CBA statement said no bank account information was disclosed in the breach and apologised to customers for the incident.

“We take the protection of data and security incidents very seriously. The safety and security of our customers’ information is of paramount importance to us, which is why we have immediately suspended using LandMark White while we investigate how this occurred,” the statement said.

LandMark White has set up a website for its customers and said there was no evidence of misuse of any information although that position remained "under close review’'.

CBA has notified 20,000 customers …

The ‘official’ ‘LandMark White’ FAQ on the subject is here: https://www.lmw.com.au/faqs

That’s a big one, thanks for sharing @draughtrider

It’s interesting to ponder the realities of this kind of thing - realities we will probably never really know. Some random questions that spring to my mind (I had some others that have escaped me) are:

• how much information was really compromised
• do the ‘owners’ of the data know how much was compromised, real vs potential etc.
• who compromised it
• is the ‘scope/nature’ of the compromised data the same as being claimed by the ‘owner’
• do the ‘owners’ of the data know who compromised it
• has the compromised data been ‘contained’
• what ‘attack vectors’ does the compromised data make available to ‘bad guys’
• what is the value of the compromised data to ‘bad guys’
• do the thieves know the value of the compromised data
• is the compromised data available either freely or for a price on the (cue sinister music) ‘dark web’
• do the (so called) ‘authorities’ have any leads, or indeed if they do, any jurisdictional power to act
• what actual evidence of anything exists? do the owners/authorities even have a clue?
• what was the ‘compromise’
• how and how well has the ‘compromise’ been closed …
• will Ma and Pa Kettle on the street connect some ‘random scam’ to this compromise, if it is connected …
• (I’d be interested to see other pertinent or even obscure questions raised …)

I was directly involved in what one might call a significant breach in the distant past - we’re talking 15 or so years ago, before people were as savvy to the implications. The difference between what I was directly responsible for mopping up and what the customer was told (complete fairy tale) and what was disclosed to the public (nothing at all) was breathtaking … hence my interest in the topic … I think things have only become more worrying since then …

more on the presence of the data on the ‘dark web’ …

… in part …

It has been reported that none of Australia’s Big Four banks have resumed using Landmark White’s services.

Landmark White said that further re-posts of the same data were possible.

“It is quite possible that over the coming weeks and months further subsets may be re-posted,” the company said.

“In this eventuality, we will continue to take steps to assess and if possible remove the documents as quickly as possible.”

Personally, I find these comments rather breathtaking …

Around “137,500 unique valuation records, and approximately 1,680 supporting documents” were taken as a result of the incident and later emerged on the dark web, the company said in a statement, though it was at pains to stress data of birth and credit card details were not in the mix.

“Although we do not know the identity of the individual, our investigations reveal that an unknown third party posted the dataset on a dark web forum on or about 11.57pm GMT, 31 January 2019, which has since been taken offline on or about 8.08pm GMT, 10 February 2019.

“We do not know how many people accessed the dataset throughout the approximately 10 days that it was available on the dark web, LandMark White’s statement on the incident said.

The company has also taken a direct swipe at the material effect of mandatory breach notification obligations, especially the coverage and noise they generate.

“LMW anticipates that continued public commentary does not allow for an informed market for trading in LMW securities,” White said.

Those comments underscore previous concerns raised about the operation and effects of breach reporting mechanisms by senior cyber officials including Alastair MacGibbon, the head of the Australian Cyber Security Centre that companies can be inadvertently punished for doing the right thing.

The nature of the current notification regime, which is intended to limit cyber damage and speed remediation by requiring disclosure, has arguably created a publicity pipeline of incidents that are now routinely exploited as a free marketing opportunity by security vendors big and small.

‘inadvertently punished’ … how unfortunate … I’d expect that if the facts are wrong, they’d take steps to correct them - if they are correct, then so be it … not counting the spin and statements of the obvious made so far …

Most businesses over here that are hacked/breached are happy to not notify as it means 1) they don’t suffer criticism, 2) it doesn’t affect share prices, income and reimbursement/compensation to as many if it had been more public and 3) it means they don’t have to spend proper budgets on security. There can be more reasons but these 3 are really the major drivers of why they didn’t in the past. They now whine about how it will/has cost them to publically notify in a somewhat more timely manner but in all of this there is still no real recognition of how it has cost the public that the information was taken and abused.

Of course it has. If they didn’t have to report, they wouldn’t - and the only people to suffer would be those whose data they failed to secure!

Most data breaches occur either through phishing attacks on employees (train your employees, people) or via existing and widely known vulnerabilities in the software a company is using. These companies need to understand and accept responsibility for keeping private data secure, and not simply blame a law that finally holds them to some minimal level of accountability.

Assuming Landmark and CBA have done their due diligence, this is probably a good thing …

Let’s hope

CBA has reinstated LandMark White as an option to conduct residential property valuations, after the institution assured itself of the valuer’s information security following a data breach in January.

LandMark White said in a financial filing that it anticipates other lenders will start using its services again this week, although it could take several weeks for revenues to return to “pre-incident levels”.

Interesting the CBA is the first …

“CBA’s data protection group have worked closely with [us] to assess and improve [our] data security environment and are committed to continue working to ensure [our] data privacy, security standards and internal processes meet or exceed CBA’s requirements,” LandMark White said.

LandMark White said that some of the security enhancements it had made since the breach included “anonymisation of private details on completed valuations”.

I can’t put my finger on what about those statements makes me feel uneasy - probably just my cynicism

The valuer said today the vulnerability that led to 137,500 valuation records being disclosed had been repaired prior to the company even learning of the breach.

It assessed that all but 25 individuals were at “very low risk of harm” from the breach. Those more at risk of harm had been given “additional personal assistance”.

So ‘in their opinion’ only 25 individuals needed additional personal assistance - in addition to the personal assistance given to the 137,500 people? I wonder how much real and tangible assistance or even notification was given to everyone affected …

Hmmmm …

But not related to previous data breach.

Embattled property valuation firm LandMark White can’t seem to win a trick.

After finally resuming trading on the ASX after its epic suspension to clean up its affairs and get vital bank customers back on board, the company late on Thursday fessed-up yet again, calling-in the Australian Cyber Security Centre over more valuation documents being exfiltrated and posted online.

This time, according to LandMark White’s ASX announcement, the leaked PDFs “mostly comprise PDF valuation documents and other operationally related commercial documents” found their way onto sharing website SCRIBD and are now in the process of being removed.

However the company says the latest leak is not related to the previous data breach incident that forced it off the board.

Rather, the finger is being pointed at what LandMark White’s management claims is an attempt to sabotage the company with key executives lashing out.

After months of eating humble pie, LMW chairman Keith Perrett unloaded in the Sydney Morning Herald , saying that “Someone is trying to destroy the company."

That’s why we need to have ‘good security’ - there is a plethora of people/groups/etc trying to do all manner of ‘bad things’ on the Internet - this is hardly news, and no excuse.

It’s great to see those new breach disclosure laws are working so well.

Property valuation and repeat data breach victim LandMark White has returned to the corporate blood bin after eight financial institutions suspended business with the firm.

Trading in LandMark White’s shares were again placed in a halt at market close on Tuesday after it was told beleaguered shareholders the CBA, NAB, ANZ, Bankwest, Bendigo and Adelaide Bank, Suncorp, HSBC and Latrobe had all pulled their business.

It comes after the disclosure of a second exfiltration incident the company insists is not a notifiable data breach under privacy laws.

The CBA had previously come to the rescue of the company, helping it clean up the fallout from the previous data breach.

LandMark White’s chairman Keith Perrett has defended the disclosure over the latest incident, accusing the alleged perpetrators of the document exfiltration of deliberate sabotage and referring the matter to police.

“not a notifiable data breach” according to their intrepid leader …

I’m pretty sure I mentioned the calibre of our breach disclosure laws when the bills were first tabled in Parliament - or perhaps when they became law. Terms like ‘farcical’ come to mind.

You did - Pythonesque is the word circling whats left of my mind, much along the same line of thought I suspect - maybe one relates to the law itself, the other to the pantomime that ensues