On Wednesday night, it was brought to our attention that Australian
real estate company Harcourts was the latest cyber-attack victim, with
the data now caught up in the breach believed to include pretty
sensitive customer data.
Harcourts confirmed with Gizmodo Australia that its Melbourne City franchisee has been the victim of a “cyber-incident”.
It
said that on October 24 the franchisee became aware that its rental
property database had been accessed by an unknown third party without
authorisation. (Each Harcourts office operates as an independent
franchise with its own separate operating and IT systems.)
The
rental property database holds personal information relating to
landlords, tenants and trades and was used by the franchisee’s service
provider, Stafflink, to provide it with administrative support.
Harcourts said that in this particular
instance, the rental property database was used by a representative of
Stafflink and accessed by an unknown third party.
“We
understand the unauthorised access occurred because the representative
of Stafflink was using their own device for work purposes rather than a
company-issued (and more secure) device,” the company said, adding, “A
comprehensive external investigation led by cybersecurity experts is
underway but it is not yet concluded.”
According to the email shared in the tweet above, for residential
rental providers and tradespeople, their full legal name, email,
addresses, phone number, copy of a signature and bank details are
“potentially visible” to the attackers. For renters/tenants, full legal
name, email, addresses, phone number, copy of a signature AND photo ID
is believed compromised.
“We understand people will be deeply
concerned and upset about this data breach. I would like to offer our
sincere apologies to everyone who has been inconvenienced as a result,”
Harcourts Australia CEO Adrian Knowles said of the data breach.
“Dealing
with this incident is our top priority. We are working together with
the franchisee to ensure that all impacted individuals are advised of
the incident.”
Knowles said Harcourts
was in the process of establishing complimentary credit monitoring and
access to the IDCARE support service for impacted individuals and he
also said the organisation has “acted decisively to implement a
comprehensive external investigation as well as a review of our systems
and processes firm wide”.
Australia’s Privacy Commissioner has also been advised of the breach.
“This investigation is still underway and
if our understanding of the impacts changes in any way we will make this
clear,” Knowles added.
Interestingly, the SBS last month interviewed Harcourts,
when it was discussing the potential impact a data breach could have on
the real estate industry. A Harcourts spokesperson said “protections
are in place” to secure customer data, adding, “Our data is encrypted by
Google, so it’s got the best protection in the world”.
The
Harcourts data breach is just the latest in a string of cyber incidents
experienced by Australian organisations and just one of the many data breaches of 2022.
This article has been updated since it was first published.
Source:gizmodo.com.au
