Property valuer LandMark White Limited has blamed an exposed API for the leak of a dataset that included property valuation details and contact information of a range of individuals held by the company.
The security vulnerability responsible for the breach — “an exposed programming interface on one of our valuation platforms” — was closed on 23 January, according to the company.
“At that point, we were not aware that there had been any data disclosure,” an update released today for people affected by the breach states.
“Having since become aware of the disclosure on 4 February 2019, we have worked to confirm that the data disclosure relates to the vulnerability which had been previously secured.”
The company on 5 February released a statement to the ASX revealing that it had been alerted by CoreLogic, a corporate partner of the firm, that a “dataset containing property valuation and some personal contact information has been disclosed”.
No loan application details, including financial and identity documents, were in the dataset.
“We take the privacy and security of our data very seriously, and we are working closely with cyber security consultants to investigate the circumstances of the disclosure of the dataset,” the LandMark White statement said.
“We have taken immediate steps to secure what we believe to be the source of the disclosure to prevent any further disclosure of data. Currently there is no evidence of misuse of any information although this remains under close review.”
The company said it has notified law enforcement agencies and the Office of the Australian Information Commissioner.
The company has published a set of FAQs for people affected by the incident.
ANZ’s chief data officer, Emma Gray, said the bank has suspended its use of ASX-listed property valuers LandMark White Limited following a data breach.
“ANZ is aware of this industry-wide incident,” the ANZ CDO said. “We are currently undertaking investigations to understand specifically which ANZ customers may be affected and we will contact them directly to outline potential impacts and how we will support them.”
Gray’s statement was issued in response to a Sydney Morning Herald story revealing that Australian banks may have to contact up to 100,000 of their customers in response to the breach. CBA has also suspended its use of the firm, the SMH reported.
“At this stage we understand a very small percentage of our customers who had valuations undertaken between November 2015 and December 2018 are potentially impacted,” Gray said.
“ANZ uses a range of property valuers and the organisation in question represents a very small portion of the valuations conducted.”
“ANZ takes its privacy obligations very seriously and we are extremely disappointed this incident has occurred,” the CDO said. “We are now firmly focussed on supporting our customers through this incident.”