Key Points
- Australian real estate agency Harcourts said it suffered a cyber attack last month.
- Harcourts Melbourne City said the personal information of tenants, landlords, and tradespeople was potentially exposed.
- Digital rights advocates had warned about the potential serious effects of a data breach in the real estate sector.
Australian real estate agency Harcourts has revealed it was affected by a cyber attack last month, with the personal information of tenants, landlords, and tradespeople potentially exposed.
In an email sent to customers of the Melbourne City franchisee of Harcourts, the company said it became aware on 24 October that an "unknown third party" had accessed its rental property database.
Harcourts said on Thursday that the breach occurred when the account of a representative at service provider Stafflink, which gives the franchisee administrative support, was allegedly compromised and accessed by that unknown third party.
"We understand the unauthorised access occurred because the representative of Stafflink was using their own device for work purposes rather than a company-issued (and more secure) device," it said in a statement.
A spokesperson for Stafflink said the provider is "disappointed" the breach occurred and is working with Harcourts Melbourne City and its IT suppliers to investigate and resolve the matter.
"The platform that has been accessed is not owned, operated or controlled by Stafflink..." they told SBS News in a statement.
The spokesperson said the use of a personal computer is "not consistent with the security policies and procedures" Stafflink has in place.
Harcourts Australia chief executive Adrian Knowles said dealing with the incident is the company's "top priority".
"We are working together with the franchisee to ensure that all impacted individuals are advised of the incident," he said.
"In addition, we are in the process of establishing complimentary credit monitoring and access to the IDCARE support service for impacted individuals."
It's not known how many people were impacted by the breach.
The revelation came just over a week after that a data breach in the real estate sector could be worse than the recent and hacks.
What types of information could the hacker have accessed?
Harcourts said while it "promptly revoked access" to the affected Stafflink representative's account once it became aware of the breach, some information may still have been visible to the third party for "a short window of time".
For tenants, that included:
- Their full legal name
- Their email address
- Their home address
- Their phone number
- A copy of their signature
- Any photo identification they supplied to Harcourts
For landlords and tradespeople, it included:
- Their full legal name
- Their email address
- Their address
- Their phone number
- A copy of their signature
- Their bank details
"We are confident that no other personal information was affected and that all personal information we hold is once again secure," the company said.
It urged recipients of the email to be aware of any suspicious activity in their online accounts and beware of potential phishing scams.
Samantha Floreani is the program lead at the charity Digital Rights Watch. She said the types of information potentially exposed in the Harcourts breach puts people at risk of identity theft.
"Given that there have been other major data breaches as well, we're starting to see a situation where it could be possible to combine the information from the various breaches, which then can create new and innovative ways that this information could be used against people," she told SBS News.
Do real estate agents ask for too much information from renters?
Ms Floreani said real estate agents are "routinely" asking for more information from potential tenants than is necessary.
"Asking for things like full bank statements that can reveal day-to-day habits is totally unnecessary and ripe for abuse," she said.
Tenancy law expert Chris Martin said he's heard recently of real estate agents asking for things like details of applicants' social media accounts, and the names, dates of birth, and other identifying information about their children.
"It's really quite detailed information that's problematic in a few ways," he told SBS News.
"There's the potential that all of this private information is collected and stored and potentially stolen, but there's also information being collected that, arguably is informing unfair decisions.
"'Have you applied for social housing?' is a question that is routinely asked in New South Wales, and if people are being denied tenancies on that basis, I think that's a real problem too."
What needs to change?
Following the Optus and Medibank hacks, the federal government announced it would for companies that experience serious or repeated privacy breaches.
It said a review of the Privacy Act will also be completed by the end of this year, with recommendations to be handed down for further reforms.
Ms Floreani said one reform Digital Rights Watch is pushing for is the removal of the small business exemption, so smaller real estate agencies have to abide by the Act as well.
Digital Rights Watch also wants Australia to have a privacy regulator that is resourced and empowered enough to ensure companies are complying with the law.
Mr Martin said having "reasonable regulation" of the personal information real estate agents and landlords can ask prospective tenants to give them can help to reduce the harm caused by future data breaches.
He said at a state and territory level, Victoria has gone further than other jurisdictions in imposing rules on what applicants can't be asked.
"They include details of past bond disputes and things like that with real estate agents and landlords, and also questions about discriminatory factors that are covered by Victorian anti-discrimination law," he said.
"But there are still things not covered in the Victorian approach, and it still is quite a way short of something like a prescribed standard form of tenancy application that sets out what can be asked for."
Mr Martin said it's also important third parties that do things like collect rent and handle applications are covered by residential tenancy legislation.
Ms Floreani said beyond legal reforms, the power dynamics between people applying for rentals and real estate agents really need to be addressed, especially given the wider context of Australia's housing crisis.
"Even in instances where there are restrictions on what they can and can't ask ... real estate agents are still routinely asking for that personal information," she said.
"The trouble is, is that if you're a renter, and you're worried about potentially not being successful in securing a home, then, you're less likely to say no, or to question what's being asked of you."
