Recent reporting has raised serious concerns about the security of some digital platforms used by Australian real estate agencies to manage rental applications and tenancy documents.
According to The Guardian, a digital researcher found that several widely used rent-tech platforms allow millions of sensitive documents to be accessed through unsecured hyperlinks – which means they can potentially be viewed without logging in.
You’re probably very familiar with many of these platforms. Designed to streamline documentation management processes (remember when people faxed their rental applications?), these platforms work by allowing agents to upload documents to a cloud-based system and then share them via a link with tenants, landlords or other parties.
This approach makes collaboration and document management quick and convenient. But the research suggests that the way these systems generate and manage links may leave them wide open to data breaches. This has serious consequences for real estate agents.
How are threat actors exploiting these platforms?
Because these platforms are not as secure as they could be, threat actors (and even innocent web crawlers) may be able to view a document simply by modifying numbers in the URL or guessing similar links. Once a valid link is found, the document can often be accessed without any additional authentication or password.
The potential exposure is particularly concerning given the type of information real estate professionals routinely handle as part of the leasing process. These rent-tech platforms can store highly sensitive personal data, including:
- Lease agreements, which may contain full names, addresses, rental amounts and signatures.
- Identity documents, such as driver’s licences or passports used for verification.
- Payslips and financial information used to assess tenant affordability.
- Personal and employment references, including contact details and background information.
The research also revealed that some of the exposed records reportedly dated back years, demonstrating how long sensitive information can remain online when security controls are insufficient.
What this means for agents
For real estate agencies, handling personal information is a normal part of day-to-day operations. From rental applications to tenant screening and lease documentation, agencies routinely collect and store sensitive data belonging to both tenants and landlords.
But the everyday systems used to streamline property management are a vulnerable and very exploitable cybersecurity risk that can leave agencies open to serious consequences.
Australian businesses that collect personal information must take reasonable steps to protect it from misuse, loss or unauthorised access. A breach involving tenant data could potentially trigger regulatory scrutiny or mandatory reporting obligations depending on the circumstances.
Then there is the reputational risk. If clients believe their personal information has been exposed or mishandled, the impact on an agency’s reputation can be significant – especially in a competitive environment.
Operational disruption is another factor. A data incident may require agencies to investigate what happened, notify affected individuals, respond to complaints and cooperate with regulators. This process can be time-consuming and costly, pulling focus away from other business operations.
At the end of the day, digital tools are indispensable in modern property management, but they also introduce new layers of risk. As the industry continues to adopt digital solutions, agencies must remain aware of how client data is handled, stored and shared.
Practical steps agents can take now
Technology risks and cybersecurity management can seem complex. But there are practical steps real estate agencies can take to better protect sensitive data and client information.
Audit your tech stack
The first step is understanding exactly which platforms your agency relies on to manage rental applications, leases and tenant documentation.
Start by reviewing all digital rental and leasing platforms currently in use. Ask key questions such as:
- How are documents stored within the platform?
- Are files protected behind login authentication, or accessible through shared links?
- What security controls are in place to prevent unauthorised access?
It’s also worth speaking directly with your vendors. Ask whether they use encryption for stored data, what authentication measures are required for access, and how permissions are managed across users. If they can’t clearly explain how they protect the personal information stored on their systems, then you may need to reassess the relationship.
Strengthen internal processes
Even the most secure software can be undermined by weak internal practices. That’s why clear processes around document handling are just as important as the technology itself. Practical safeguards include:
- Implementing clear document naming and storage conventions so sensitive files are easy to manage and locate.
- Setting expiry controls or time limits on shared documents where possible.
- Removing outdated documents that are no longer required for operational or compliance purposes.
- Restricting access to sensitive files on a need-to-know basis within your team.
- Avoiding unsecured document sharing methods, such as open links or personal email accounts.
- Providing basic cyber awareness training so staff understand how to handle sensitive client data safely.
Review your insurance coverage
No agency is completely immune to cyber risk, even with strong security practices in place. That’s where insurance may help.
Cyber Liability insurance is designed to help protect you from claims and support your profitability in the event of a cyber breach or attack. Costs associated with defending a cyber claim are also covered.
Professional Indemnity insurance covers you for losses claimed by a third party and defence costs due to alleged or actual negligence in your professional services or advice.
In many cases, it is a legal requirement for real estate agents. However, it’s still a good idea to make sure you have limits that offer adequate cover.
Taking the time to review these protections can provide peace of mind that if something does go wrong, your business has financial and professional support in place to respond effectively. If you’re unsure, speak with an insurance professional to find out more about policies to suit your business needs.
This information is general only and does not take into account your objectives, financial situation or needs. It should not be relied upon as advice. As with any insurance, cover will be subject to the terms, conditions and exclusions contained in the policy wording or Product Disclosure Statement (available on our website). Please consider whether the advice is suitable for you before proceeding with any purchase. Target Market Determination document is also available (as applicable).
© 2026 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769