Real estate company Harcourts has confirmed a data breach occurred at its Melbourne City office, potentially exposing the personal information of tenants, landlords and trades to hackers.
The franchisee became aware on October 24 that its rental property database was accessed by an unknown third party without authorisation.
For tenants, the personal information potentially breached included names, addresses, email addresses, phone numbers, signatures and photo identification, according to an email sent by the office to its customers and circulated online.
For landlords and trades, the data comprised bank details as well as names, addresses, email addresses, phone numbers and signatures.
It comes two weeks after security experts and tenancy advocates raised concerns about the potential for data breaches in the industry, which collects copious amounts of information with little oversight.
The NSW government has backed stronger protections of renters’ information as a result.
The company said the rental property database was used by a representative of administrative support service provider Stafflink, and accessed by an unknown third party.
The company blamed a representative of Stafflink using their own device for work purposes, rather than a company-issued device.
The company said a comprehensive external investigation led by cybersecurity experts is under way.
Each Harcourts office operates as an independent franchise with its own separate operating and IT systems.
Harcourts Australia chief executive Adrian Knowles said dealing with the incident was the company’s top priority.
“We understand people will be deeply concerned and upset about this data breach. I would like to offer our sincere apologies to everyone who has been inconvenienced as a result,” Knowles said.
“We are working together with the franchisee to ensure that all impacted individuals are advised of the incident. In addition, we are in the process of establishing complimentary credit monitoring and access to the IDCARE support service for impacted individuals.”
Digital Rights Watch program lead Samantha Floreani said a review into the Privacy Act was urgently needed to better protect people’s data.
“This is yet another example of why we need comprehensive privacy reform, because as long as companies are collecting too much of our personal information and holding on to it for long periods of time, the risk of harm is going to continue to occur,” Floreani said.
Real Estate Institute of Australia president Hayden Groves said the peak body had been “very concerned” after the news of the Optus and Medibank data breaches.
Agencies across the country collect $78 billion in rent each year, collecting personal data from tenants and companies.
“Obviously, the Harcourts data breach is a concern. It’s really a wake-up call for real estate agencies,” Groves said.
Groves said it came down to proper training for those working in the industry on keeping data collected from sales and leases safe and secure.
“Data breaches mainly occur when individuals open an email that they shouldn’t have,” he said.
“And really, if we’re being sloppy with the collection of data it can really put our business at risk.”
Groves said agencies were taking data security very seriously: “We’re not seeing agents be cavalier with the collection of data, but they do need to ensure employees are property trained with things like email portals.”