Another data leak in Australia, this time with Realty Assist
October 18, 2022 |
Real estate agents and other property related companies collect masses of personal information. A significant amount of that data is not required for preparing a lease. Real estate agents enthusiastic collectors of data but less impressive in the storage of data. This is amply demonstrated in the Guardian’s article A real estate agent data breach would be devastating for renters. They collect too much personal information. The sobering fact is that unless a real estate agent had an annual turnover of $ 3 million or more it would not be covered by the Privacy Act.
One cue, the Australian reports poor data management has lead to personal information being made publicly available on line in Lax security: RealtyAssist loan details online. This comes as no suprise to anyone practising privacy law. That it is being reported so widely is more a function of the heightened interest in data breach stories since the Optus Data Breach. The article provides:
Sensitive customer details managed by RealtyAssist relating to a large number of property transactions are publicly available online, exposing lax security practices at the real estate services company.
The Australian can reveal reams of data and documents were captured by an online indexing and archiving site, leaving sensitive data easily accessible.
The trove of information – including customer names, mobiles, email addresses and in some cases entire property contracts – raises serious questions about the robustness of RealtyAssist’s technology and data security systems.
Also included in a number of the documents available online were customers’ DocuSign Envelope ID numbers, which reflect a permanent reference to the electronic signing transaction for that particular document. The number can be used to access the DocuSign certificate of completion.
Perth-based RealtyAssist provides invoicing, cash flow and other services to real estate agents around the country, including The Agency and Laing+Simmons.
ASX-listed Domain Holdings has also partnered with RealtyAssist to provide pay-later services to customers who are selling properties but don’t want to pay the marketing costs upfront.
The cache of sensitive data accessed – and archived – from RealtyAssist’s back-end systems included detailed customer service agreements, a sales and inspection report and transfer receipts for holding deposits on property sales.
One of the deposit transfer receipts – via real-time payments platform Osko – was dated May 2022 for a property in NSW and totalled $143,500. Another file shows an outstanding pay-later agreement for $78,000 loaned to a vendor selling a house in Toowong.
Other documents included detailed invoices and fee agreements for customers choosing to enter contracts to pay property marketing costs in instalments, under buy now, pay later arrangements.
RealtyAssist declined to respond to questions about its data security practices put to the company by The Australian on Monday. Domain did not respond to questions about its relationship with RealtyAssist, its level of due-diligence and its confidence in the company’s data security.
RealtyAssist’s chairman is Peter Wall, a partner at corporate and commercial law firm Steinepreis Paganin. The property services group is led by Sam Rettke, a former real estate agent who is also a co-founder of RealtyAssist.
The company’s data security issues come as a spate of large Australian companies – including Medibank Private, Optus and Woolworth’s MyDeal – are grappling with cyber attacks and potential or real data breaches.
PwC Australia’s cyber security and digital trust leader Robert Di Pietro said the recent events had elevated data and cyber security to a “heightened level”.
“That’s never been thrust into the mainstream as much as it has on the back of these recent breaches. “We’re talking about millions of Australians, so it’s really reaching everyone,” he added.
“As we often say, it’s not a matter of if, it’s when. It’s really unprecedented that we’ve had so many high-profile breaches in such a short space of time.”
A report by PwC, to be released on Tuesday, outlines that Australian business leaders have much more work to do, given expanding cyber and data risks.
The report says Australian organisations are more reactive in their approach to cyber disruption than their global counterparts. It says 63 per cent of Australian respondents are reactive, rather than proactive, and invoked cyber plans after incidents, focusing on recovery and remediation. Mr Di Pietro said data protection was as critical as cyber security for all companies.
“The conversation is absolutely pivoting to data. How much of it do we have? Do we know where it exists and do we have too much of it? If I need it revoked, can that be done?
“That level of sensitivity around data, and data as the new oil or as a precious commodity, because it is so precious to so many organisations – it is also just as precious to cyber adversaries who are looking to use that to make a buck or further their own cause, Mr Di Pietro said.
“Small and mid-sized organisations do need to start paying more attention and they do need to focus on investing in cyber security. But they are also part of a broader ecosystem where they can’t do it alone.”
The latest revelations about RealtyAssist follow a report in The Australian on Monday detailing how the company provides vendor loans of up to $5m without having a credit licence – a move which has seen it become the target of complaints lodged with the corporate regulator.
Among its services, RealtyAssist gives vendors early access to funds that are part of an upcoming property settlement. That gives the seller – if approved – access to some or all of the home or apartment sale funds ahead of the transaction’s completion.
RealtyAssist charges a “simple credit fee” for the product and says it limits the loan term to 60 days, although potential borrowers can request a longer term or simply say they are unsure how long they require the funds for.
After the 60-day term expires borrowers are charged interest from the following day and then every 30 days after the due date.
The Australian Securities & Investments Commission is understood to be investigating complaints about the arrangement and its reliance on credit law exemptions.
Domain has only recently partnered with RealtyAssist after quietly severing ties with its earlier buy now, pay later partner, Limepay. It is seeking to transfer customers to RealtyAssist.
On Sunday, RealtyAssist said it was not aware of any complaints about it to the ASIC. “We would take any complaints to ASIC (or investigation) very seriously,” the company said.
“Domain undertakes a degree of due diligence on its commercial partners to ensure that they are a partner that they wish to have an arrangement with,” a Domain spokeswoman said on Sunday.
“Domain has a range of commercial relationships.”
Domain’s largest competitor is REA Group, which is controlled by News Corp Australia, publisher of The Australian.