LandMark White reveals second data breach

Second breach not related to IT security failure, company says

LandMark White, which earlier this year revealed details of a significant data breach that saw the exit of its CEO, has revealed details of a newly discovered breach.

A range of “PDF valuation documents and other operationally related commercial documents” were posted to document sharing service Scribd, the company’s secretary, John Wise, said in a note released to the ASX late yesterday.

LMW said that Scribd was removing the documents — a process that LMW anticipated would be completed within 24 hours.

“We also confirm that these documents do not appear to have been taken from LMW through an IT related security breach but may be the deliberate work of an individual known to the LMW business,” Wise wrote.

“We are treating this very seriously and will work with law enforcement and government agencies as necessary, to confirm the circumstances of this activity.”

LMW in February announced that some 137,500 of its valuation records and 1680 supporting documents had been posted online. In March it revealed a subset of the data was still in circulation and had been posted on a “darkweb forum”.

Fallout from the breach led to major banks suspending their use of LMW’s services, and the firm twice entered a trading halt as it struggled to assess the impact on its business.

Earlier this month the company said that the breach had cost it $5-6 million in revenue, and that it expected to take an additional $1 million hit to its income. LMW revised downwards its full year revenue forecast to $43.5 million from $55 million. However, lenders including major banks have resumed their use of LMW’s valuation services, the company said.

The company says it has worked to improve security, including collaborating with the Commonwealth Bank’s security team. In its update to the market earlier this month LMW said it had “incurred significant costs upgrading cyber security measures”.

“These new security measures will incur higher ongoing maintenance costs but are critical to ensure we maintain an appropriately high level of data security,” the company said in its statement.

“We stand by all previous assurances, supported by third party consultant testing, that our enhanced security environment continues to provide an appropriate level of security for our clients and their data,” Wise wrote in yesterday’s note.

The company secretary said that LMW did not, after an initial review of the documents in the second breach, believe it constituted a notifiable data breach for the purposes of the Privacy Act 1988 and the Notifiable Data Breaches Scheme, as “there is limited private information contained in the documents”.

“Notwithstanding this assessment we have updated the Office of the Australian Information Commissioner of the disclosure and undertaken to keep them updated,” Wise wrote.