Industry experts have called for more to be done to protect tenants’, landlords’ and trades’ personal and financial information following a recent data breach.
Real estate company Harcourts recently revealed it had been the subject of a data breach at its Melbourne City office, with its rental property database accessed by an unknown third party.
Harcourts said the data breach came from one of its service providers, where the account of an employee was allegedly compromised and made accessible to third parties.
Director of Property Management Institute of Training (PMIT) and the Property Management Virtual Assistant (PMVA), Tiffany Bowtell said the breach highlighted the need for real estate businesses to be vigilant with third-party contractors who have access to sensitive information.
โKnowing the company that was involved in this, I know they outsource the virtual assistants,โ Ms Bowtell said.
โTheyโre not the employer of the virtual assistant, they are the virtual agency here in Australia.
โThe problem is, when you have a third party in the Philippines, you have no control over the environment the virtual assistant works in.
โYou canโt control the environment when your virtual employees come to work because itโs not your company.โ
Ms Bowtell said if real estate agencies were looking at outsourcing components of data security, the first step is to know who the provider actually is and how much control they have over the environment where your data sits.
โWhen an agency wants a virtual assistant itโs critical to go through a reputable supplier that is incorporated in the country of origin and has the business setup in the country of origin,โ she said.
According to Ms Bowtell, itโs critical that real estate businesses are careful about how many contractors have access to their sensitive information.
โThe smaller the footprint of the party vs party vs party, the better,โ she said.
โSomething Iโve been telling people for a long time is to be very careful about how many people have access to your data.
โYou need to bring it back to accountability and control.โ
Ms Bowtell said all third-party contractors, especially virtual assistants, are required to sign contracts, undergo rigorous training and education as well having strict policies on the use of personal devices such as computers, mobile phones and office access.
Harcourts Australia Chief Executive Officer, Adrian Knowles said when acknowledging the breech last week that Harcourts understood people would be deeply upset and concerned about the recent data breach.
โI would like to offer our sincere apologies to everyone who has been inconvenienced as a result,โ Mr Knowles said.
โDealing with this incident is our top priority. We are working together with the franchisee to ensure that all impacted individuals are advised of the incident.
โIn addition, we are in the process of establishing complimentary credit monitoring and access to the IDCARE support service for impacted individuals.
โWe have acted decisively to implement a comprehensive external investigation as well as a review of our systems and processes firm wide. We have also notified the Privacy Commissioner of this breach.
โThis investigation is still underway and if our understanding of the impacts changes in any way we will make this clear,โ he said.
Senior research fellow from the University of NSW City Futures Research Centre, Dr Chris Martin said real estate businesses, in particular property managers, were already collecting far more personal and financial information than they should be.
โItโs a big risk if all that information falls into the wrong hands,โ Dr Martin said.
โTenancy laws in most states and territories place few restrictions on what agents can collect.
โQuestions about source of income, social security recipient status, and whether youโve applied for social housing can be used to deny you a tenancy, and itโs not unlawful and not regulated in any jurisdiction.โ
Dr Martin said one solution would be the development of a standardised application with pre-set questions, which excludes unreasonable, intrusive, and risky questions.
โThe fact that it always happens that way โ that itโs landlords and agents extracting more and more from tenants โ shows how asymmetric the relationship is and why we need stronger residential tenancy laws,โ he said.
Stockdale & Leggo Chief Executive Officer Charlotte Pascoe said the real estate industry had to be careful in the wake of the damaging attack.
โIt is everyoneโs responsibility to keep data safe,โ Ms Pascoe said.
โItโs scary how advanced hacking has become โ so, now more than ever, we have to be aware of how forgetting to turn something off could end in someone breaking into our entire digital ecosystem.โ
Ms Pascoe said every staff member in the Stockdale & Leggo network had been advised to take extra precautions to ensure cyber security as a result.
โWe have to use this as an opportunity to educate and upskill staff across our offices,โ she said.
โWe have asked every director in our organisation to go through and update their security processes for their technology ecosystems, and we have asked everyone within the organisation to take today to ensure they are protecting the businesses, and the data.โ