On Wednesday night, it was brought to our attention that Australian real estate company Harcourts was the latest cyber-attack victim, with the data now caught up in the breach believed to include pretty sensitive customer data.
Harcourts confirmed with Gizmodo Australia that its Melbourne City franchisee has been the victim of a “cyber-incident”.
It said that on October 24 the franchisee became aware that its rental property database had been accessed by an unknown third party without authorisation. (Each Harcourts office operates as an independent franchise with its own separate operating and IT systems.)
The rental property database holds personal information relating to landlords, tenants and trades and was used by the franchisee’s service provider, Stafflink, to provide it with administrative support.
Harcourts said that in this particular instance, the rental property database was used by a representative of Stafflink and accessed by an unknown third party.
“We understand the unauthorised access occurred because the representative of Stafflink was using their own device for work purposes rather than a company-issued (and more secure) device,” the company said, adding, “A comprehensive external investigation led by cybersecurity experts is underway but it is not yet concluded.”
Harcourts Real Estate has been hacked pic.twitter.com/WUdsie7HHh
— Damian Tardio (@damiantardio) November 2, 2022
According to the email shared in the tweet above, for residential rental providers and tradespeople, their full legal name, email, addresses, phone number, copy of a signature and bank details are “potentially visible” to the attackers. For renters/tenants, full legal name, email, addresses, phone number, copy of a signature AND photo ID is believed compromised.
“We understand people will be deeply concerned and upset about this data breach. I would like to offer our sincere apologies to everyone who has been inconvenienced as a result,” Harcourts Australia CEO Adrian Knowles said of the data breach.
“Dealing with this incident is our top priority. We are working together with the franchisee to ensure that all impacted individuals are advised of the incident.”
Knowles said Harcourts was in the process of establishing complimentary credit monitoring and access to the IDCARE support service for impacted individuals and he also said the organisation has “acted decisively to implement a comprehensive external investigation as well as a review of our systems and processes firm wide”.
Australia’s Privacy Commissioner has also been advised of the breach.
“This investigation is still underway and if our understanding of the impacts changes in any way we will make this clear,” Knowles added.
Interestingly, the SBS last month interviewed Harcourts, when it was discussing the potential impact a data breach could have on the real estate industry. A Harcourts spokesperson said “protections are in place” to secure customer data, adding, “Our data is encrypted by Google, so it’s got the best protection in the world”.
The Harcourts data breach is just the latest in a string of cyber incidents experienced by Australian organisations and just one of the many data breaches of 2022.
This article has been updated since it was first published.