Contractor charged over Sydney data breach

A software contractor has been charged over the breach of than 170,000 business records.
A software contractor has been charged over the breach of than 170,000 business records.

A Sydney IT contractor has been charged over a data breach at a property evaluation firm that allegedly affected more than 270,000 people, cost the company more than $8 million and resulted in troves of personal information being uploaded onto the dark web.

Stephen Grant allegedly accessed and published more than 170,000 data sets including names, addresses, contact numbers, property valuations and driver's licences between September 2017 and May 2019.

The 49-year-old, who has been employed by the ASX-listed Landmark White firm for 12 years, was arrested in the company's Sydney foyer on Wednesday.

He was later charged with 15 offences, including unauthorised data modification, unlawfully handling identity information, impairing electronic communications and drug possession.

He was refused bail to appear at Central Local Court on Thursday.

Police said the data could have been used to steal customers' identities and even fraudulently take out bank loans.

"He was in a position of trust and that information was used recklessly," Detective Acting Superintendent Gordon Arbinja told reporters on Wednesday.

Acting chief executive Timothy Rabbitt said Landmark White lost more than $8 million following the publicity about the breach.

"Investigations have revealed that the breach was carried out by someone with trusted inside access and we believe we were deliberately targeted by someone with an intent to damage our business and reputation," the company said in a statement.

The company did not notice the first alleged breach, which resulted in the data appearing on the dark web, for several days and did not alert police. Mr Rabbitt said that was because the company did not know the culprit.

He said 25 customers were deemed by Australia's national identity and cyber support service to be at risk of serious harm.

The company notified those affected and there was no evidence there had been any misuse of the data, Mr Rabbitt said.

After Grant's arrest, Cybercrime Squad detectives also raided a home at Rozelle and a business data centre at Ultimo.

"The information that was uploaded on the internet - on the clear net - has been removed from that site. The information that was uploaded to the dark net, I cannot guarantee has been cleared," Det Supt Arbinja said.

Australian Associated Press