This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Herron Todd White

Summary

Herron Todd White (HTW), one of Australia's largest property valuation firms, suffered a BlackSuit ransomware attack affecting its commercial and agricultural valuation platforms. Discovered on April 5, 2024, the breach led to Australia's major banks—Westpac, NAB, Commonwealth Bank, and ANZ—suspending new valuation work with the firm. BlackSuit claimed on April 27, 2024 to have exfiltrated 279GB of documents and a 20GB database containing customer and transaction information.

What Happened

HTW detected suspicious activity on its commercial and agricultural property valuation systems on Friday, April 5, 2024, and immediately reported the incident to the Australian Cyber Security Centre. The company launched an investigation with cybersecurity specialists to determine the scope of the breach.

On April 27, 2024, the BlackSuit ransomware gang claimed responsibility for the attack, posting details on their dark web leak site. The attackers stated they had exfiltrated:

  • 279 gigabytes of paperwork and documents
  • 20 gigabytes of SQL database containing customer and transaction information

BlackSuit ransomware is a sophisticated ransomware-as-a-service operation believed to be a rebrand or successor to the Royal ransomware gang. The group employs double-extortion tactics, both encrypting systems and stealing data to maximize pressure for ransom payment.

Critically, HTW's residential valuation platform was unaffected, as it operates on separate infrastructure from the compromised commercial and agricultural systems.

Impact on Individuals

While specific details of compromised personal information have not been publicly disclosed, the 20GB database likely contained:

  • Property owner contact information
  • Commercial and agricultural property addresses
  • Transaction details and valuation reports
  • Client communications and correspondence
  • Business entity information

The breach primarily affected:

  • Commercial property owners and buyers: Businesses and investors whose properties were valued by HTW
  • Agricultural landowners: Farmers and rural property owners
  • Financial institutions: Banks and lenders using HTW valuation reports
  • Real estate professionals: Agents and brokers involved in transactions

The exposure of property valuations and transaction details could enable:

  • Targeted fraud against property owners
  • Business intelligence gathering by competitors
  • Phishing attacks impersonating HTW or related financial institutions
  • Insights into commercial real estate transactions and investment strategies

Organisational Response

HTW immediately reported the breach to the Australian Cyber Security Centre and engaged external cybersecurity experts to investigate and remediate the incident. The company emphasized that the breach was limited to commercial and agricultural platforms and did not affect residential valuation systems.

The financial impact extended beyond the breach itself, as Australia's four major banks took unprecedented action:

  • Westpac, NAB, and Commonwealth Bank suspended new commercial and agricultural valuation work
  • ANZ reportedly suspended all new work with HTW
  • Residential valuations continued on the unaffected platform

The bank suspensions represented a significant business disruption, effectively halting HTW's ability to conduct commercial and agricultural valuations for major lenders while security was restored and systems were verified. This multi-bank response demonstrates the critical role property valuations play in lending decisions and the financial sector's zero-tolerance approach to data security in their supply chain.

HTW worked to restore confidence with banking partners by demonstrating comprehensive remediation, enhanced security measures, and verification that the breach was contained. The incident highlighted the systemic risk when critical service providers in the property and finance sectors are compromised.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 299 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement