An unauthorised third party has accessed a Melbourne real estate agency’s rental property database, with addresses, names and bank details exposed, renters and landlords have been told.
International real estate company Harcourts said in a statement on Thursday that the Melbourne City franchise had its rental property database accessed by an “unknown third party without authorisation”.
The breach affects only customers of the Melbourne City franchise, as each franchise operates its own separate IT systems, the company said.
Harcourts has hired external cybersecurity experts to investigate.
The rental property database includes tenants’ names, email addresses, addresses, phone numbers, signatures and photo IDs. For landlords, it includes names, email addresses, phone numbers, copy of signatures, and bank details.
Harcourts could not say how many customers may be affected by the breach but fewer than 1,000 notifications have been sent out to customers potentially affected.
The Harcourts Australia CEO, Adrian Knowles, apologised to customers, saying credit monitoring and access to IDCare support would be provided. He said the investigation was a top priority.
“We are working together with the franchisee to ensure that all impacted individuals are advised of the incident,” he said.
“We have acted decisively to implement a comprehensive external investigation as well as a review of our systems and processes firm wide. We have also notified the privacy commissioner of this breach.”
In the wake of the massive Optus data breach in September, Samantha Floreani wrote in Guardian Australia that a similar breach of real estate agents would be devastating to renters, given the sheer volume of information collected during the application process for a rental property.
“It’s clear that there are serious gaps in the law which are permitting the real estate industry to collect, use, and store more information than they need,” Floreani said.
“These data-extractive practices are no accident, it is a deliberate feature of their business model.”
A spokesperson for the Real Estate Institute of Australia said agents already operated in a regulated environment, and were “obliged to act with skill, care and diligence, including their approach to the collection of personal data”.
“Therefore, the regulatory environment within which agents operate does, in effect, constitute an industrywide commitment to safe data storage.”
The spokesperson said the Harcourts breach was a reminder for agents to be vigilant in the collection and storage of data.
The federal government has introduced legislation aimed at increasing penalties up to $50m for breaches.
Floreani said the changes would offer limited pathways for recourse for people who might have their data compromised in a real estate breach.
“One of the main benefits of the proposed changes is that if the bill passes it may act as an incentive for companies to comply with the act and encourage accountability when companies do the wrong thing – but I think it’s too soon for that kind of flow-on effect to be felt yet,” Floreani said.
“Bigger fines are important but not enough on their own. Without comprehensive reform to the rest of the act and proper resourcing to the [privacy commissioner] to enforce it, it doesn’t mean much.”
The attorney general, Mark Dreyfus, has indicated the government intends to release a review of the Privacy Act as well as the government’s response to it before the end of this year.
