A Victorian schoolteacher was applying for ‘heaps of rentals’ online – then someone accessed his bank account

Michael says this was achieved by having access to something often required for identity verification: his passport number.

After that, someone was able to gain access to his bank and superannuation accounts, and began making transfers.

He suspects this all stems from information he submitted to rent application platforms, which included his passport information.

“I’d been applying for heaps of rentals through November, through December. And it was just the right time that I suspect that all these leaked to someone,” he says.

Michael says he reported the incident to police. He managed to get control of his phone number again – allowing him to receive the two-factor authentication codes to access his accounts.

“I think it took a couple of weeks to get everything sorted out and change all my passwords.”

His experience may not be isolated.

_{Sign up: AU Breaking News email}

As Guardian Australia reported this week, millions of leasing documents held by rent platforms could be accessible online without any sort of authentication required, according to analysis of seven such services.

‘Over-collection of data’

An Australian Housing and Research Institute (Ahuri) report released last month says while providing personal information is necessary for rental agreements, the “over-collection of data poses significant risks to renters’ data security and privacy”.

The report states renters have little understanding of where their data goes, and who has access to it, and whether that information is then used to build profiles or rankings of candidates.

“Platforms rely on the collection, storage, sharing and linking of large volumes of data,” the report says.

“Emergent data relations that result from these platforms therefore involve multiple third-party actors beyond tenants, landlords and property managers, increasing the risk of data misuse and breaches.”

The Ahuri report identified 57 rent tech platforms operating in Australia.

The report’s lead author, Dr Sophia Maalsen from the University of Sydney, says she recognises the benefits the platforms can offer the sector to minimise their own data collection. But she says some collect more data than others.

One included 50 different data fields regarding individual rental applicants.

“There’s a lot much more intensive sort of work being done – whether that’s around household composition, whether you’re single parent or not, your dog, pets, smoking, that kind of stuff … and there’s not a lot of data portability between [the platforms],” Maalsen says.

Maalsen also says renters who are putting information into multiple platforms are often not clear on how secure they are.

“They’re not going to be 100% hackable proof, and some are likely going to be stronger than others,” she says.

She says regulation of the sector is needed.

“I feel like the application forms are probably the most simple to get your head around in terms of what data is being collected and where, but then you get other sort of stuff that monitors social capital, wellbeing and it is a bit more nebulous in terms what is that being used for?”

Enhancing privacy

The Real Estate Institute of Australia’s president, Jacob Caine, says agents are legally required to confirm tenants are who they claim to be, which necessitates the collection of personal information.

He says it is essential they undertake proper due diligence in ensuring the online platforms being used comply with privacy obligations.

“As agencies increasingly adopt regulatory technology, it is critical they ensure these systems meet the highest privacy and security standards,” he says.

Caine says the REIA supports robust regulatory oversight, and over the long term supports reducing collecting and storing sensitive documents through projects such as the federal government’s digital ID rental pilot, announced last year.

“Less data collected means less data exposed,” he says.

However, Caine warns the sector will be required to collect more data from 1 July, due to new anti-money laundering reforms that will force real estate agents to keep more records, monitor and report suspicious activity.

“Utilising digital ID is exactly the kind of forward-looking solution our sector needs – one that enhances privacy, improves efficiency, and gives renters confidence that their information remains secure,” Caine says.

“We are already seeing an influx of new regulatory technology providers,” he says.

“Providers must show strong governance, verified cybersecurity credentials, and a clear understanding of their privacy obligations. The risks are too great for anything less.”

*name has been changed