Real Estate agent Harcourts suffers a data breach..another one for real estate agencies. It is an industry in dire need of regulatory attention

November 4, 2022 |

In less than a month there has been a data breach at a real estate agent business.  I  wrote about Realty Assist’s breach on 18 October 2022.  Now Harcourts have suffered a data breach, on 14 October 2022.  The ABC report highlights a break down between Harcourts and Stafflink a software provider.  In its email to customers Harcourts claimed the data breach stemmed from its software service provider Stafflink, one of whose employees accounts was compromised.  That can and does happen.  Except that Staff Link has disputed that and publicly said so.  A very poor strategy by Harcourt to make an assertion and then find it contested.  I never cease to be amazed how poorly Australian businesses handle data breaches. The ABC story also covers the dreadful state of privacy and data management by real estate industry.  It has long been an industry addicted to collecting as much personal information as possible but being lax with it. Privacy advocates have long known about and raised the alarm about poor privacy practices.

The Age article provides:

Real estate company Harcourts has revealed it suffered a data breach on October 14, potentially exposing customers’ names, addresses and bank details to hackers.

In an email circulated to customers of Harcourts Melbourne City, the company reports it became aware of a cyber attack on October 24.

Harcourts said it was obligated to report the incident to clients under the Privacy Act 1988.

According to the email, the company’s rental property database had been accessed by an unknown third party.

Harcourts said the data breach stemmed from its software service provider Stafflink, where the account of one of Stafflink’s employees was allegedly compromised and made accessible to third parties.

“We are still investigating the incident but understand it has occurred through the employee using their own device for work purposes rather than the usual (and more secure) company-issued device,” the email said.

“As a result, your information may have been visible to the third party for a short window of time.”

Stafflink told the ABC it was not at fault for the breach and that it had engaged in a meeting with Harcourts about the incident.

When asked by the ABC about Stafflink’s claims, Harcourts chief executive Adrian Knowles declined to comment.

Harcourts said information such as names, addresses, copies of signatures, photo identification and bank details may have been visible to hackers.

The company said it has since revoked access and added new layers of protection since the data breach.

It is not known how many people were impacted by the breach.

Real estate industry’s data practices in dire need of reform: digital rights expert

The data breach comes after major cybersecurity incidents at both Optus and Medibank, with millions of Australians potentially affected by breaches.

Digital Rights Watch executive director James Clark said a reckoning for the real estate industry has been a long time coming.

“We’ve been warning about this for a while that the real estate industry has been collecting far too much information, especially about renters,” Mr Clark said.

“When you’re collecting as much information as the real estate industry has, unfortunately leaks like this become inevitable.”

Mr Clark said renters in particular were put at huge risk with the amount of information they are required to provide to secure a property.

“We have no oversight into how long they’re storing that for and what else they’re doing with that information,” he said.

Mr Clark said the industry seemed arrogant about their cybersecurity protocols and had been found out.

“Harcourts was quoted recently as saying that their digital security is top notch, and unfortunately I think it’s quite embarrassing that they are the real estate agency that has had this breach.”

The government has proposed to steeply increase penalties for serious or repeated privacy breaches, with reforms flagged for 2023.

Mr Clark said while companies should be able to store information for a “reasonable” period of time, privacy reform was desperately needed in Australia.

“What we really need is a regulator that is really well resourced to oversee this and to make sure that companies are not stretching the definitions of ‘reasonable’, which we do see now,” he said.

Leave a Reply

Verified by MonsterInsights