ANZ first to respond to big four data breach


ANZ has issued a public notice of the potential unsolicited exposure of its customers’ records following reports of a data breach incident at LandMark White, a property valuer used by all major banks.

LandMark White (LMW), an ASX-listed commercial and residential real estate valuer, became aware of the incident on 4 February, notifying the public the next day. The breach, however, went largely unnoticed until a Fairfax Media report last Tuesday unearthed the initial market notice.

Up to 100,000 people may have been impacted by the breach, with the potential exposure of personal data, including property valuations and personal contact information of homeowners, residents, and property agents, among which include first and last names, residential addresses, and contact numbers. 

A statement released today by LMW stressed that “no loan application details, including financial and identity documents, are contained within the disclosed dataset.”

However, “a small subset of supporting documents relevant to the valuation assessment contained in the dataset” are currently being assessed for their “potential privacy implications”, the company said. 

ANZ Chief Data Officer Emma Gray said the bank is “currently undertaking investigations to understand specifically which ANZ customers may be affected and we will contact them directly to outline potential impacts and how we will support them.” 

ANZ was the first of the big four to offer a public notice of, and response to, the breach.

“At this stage we understand a very small percentage of our customers who had valuations undertaken between November 2015 and December 2018 are potentially impacted,” Gray said. 

The bank has suspended use of LandMark White’s services but stressed it had no reason to believe that other valuers were impacted by the incident. CBA has also reportedly suspended LMW from their panel of valuers and is currently notifying affected customers, while NAB is still assessing the full impact of the incident and will “contact [affected customers] directly”. Westpac has yet to issue a statement on the breach. 

LMW said that it had, as early as 23 January, “closed off a security vulnerability that it had identified on one of its valuation platforms.” 

The valuer said it had become aware through CoreLogic, a corporate partner, that a dataset containing property valuation and some personal contact information had been disclosed. This incident was first logged on 4 February.

“We have taken immediate steps to secure what we believe to be the source of the disclosure to prevent any further disclosure of data,” LMW said.

It added: “Currently there is no evidence of misuse of any information although this remains under close review.”