Australia’s banks have started notifying customers that may have been caught up in an “industry-wide” data breach at an ASX-listed property valuation firm.
The incident at LandMark White was notified to the market on February 5 but appears to have gone largely unnoticed until a report by Fairfax Media late Tuesday.
Fairfax reported that CBA and ANZ had suspended use of LandMark White’s valuation services and that NAB was also considering its position.
ANZ is the only one of the big four banks to so far go public on its exposure to the data breach, confirming both the incident and its extent.
“We are currently undertaking investigations to understand specifically which ANZ customers may be affected and we will contact them directly to outline potential impacts and how we will support them,” ANZ chief data officer Emma Gray said in a statement.
“At this stage we understand a very small percentage of our customers who had valuations undertaken between November 2015 and December 2018 are potentially impacted.
“ANZ uses a range of property valuers and the organisation in question represents a very small portion of the valuations conducted.
“As a result of this incident ANZ has currently suspended use of the services of the valuation provider at the centre of the investigations.
“We have no reason to believe any of the other valuers ANZ uses are impacted by this incident.”
LandMark White said it had “closed off a security vulnerability which we had identified in one of our valuation platforms” on January 23.
However, a tweet published Tuesday night appeared to indicate the breach had been noticed a few weeks earlier and that relevant Australian government authorities had been tipped off to it.
Landmark White, however, said that when it closed the vulnerability that it was “not aware that there had been any data disclosure”.
“Having since become aware of a disclosure on 4 February 2019, we are now working to confirm that the data disclosure relates to the vulnerability which had been previously secured,” the firm said.
“We believe that the disclosure relates to an isolated security weakness on one of our valuation platforms.
“We are highly confident that this incident does not impact our wider systems and is an isolated incident which had already been resolved prior to us becoming aware of the disclosure.”
In a financial filing, Landmark White said that it had been made aware of the breach through one of its corporate partners, CoreLogic.
It said that “a dataset containing property valuation and some personal contact information” had been disclosed.
The firm said it was “taking steps to notify its corporate partners of the incident” and that it had seen “no evidence of misuse of any information although this remains under close review.”
“Pending the outcome of our investigations, we may need to notify individuals affected by this
incident to let them know what information may have been accessed and what steps they can take to prevent any potential misuse of their information,” the firm said.
“We continue to keep this under close review”.