Industry experts have called for more to be done to protect tenants’, landlords’ and trades’ personal and financial information following a recent data breach.
Real estate company Harcourts recently revealed it had been the subject of a data breach at its Melbourne City office, with its rental property database accessed by an unknown third party.
Harcourts said the data breach came from one of its service providers, where the account of an employee was allegedly compromised and made accessible to third parties.
Director of Property Management Institute of Training (PMIT) and the Property Management Virtual Assistant (PMVA), Tiffany Bowtell said the breach highlighted the need for real estate businesses to be vigilant with third-party contractors who have access to sensitive information.
“Knowing the company that was involved in this, I know they outsource the virtual assistants,” Ms Bowtell said.
“They’re not the employer of the virtual assistant, they are the virtual agency here in Australia.
“The problem is, when you have a third party in the Philippines, you have no control over the environment the virtual assistant works in.
“You can’t control the environment when your virtual employees come to work because it’s not your company.”
Ms Bowtell said if real estate agencies were looking at outsourcing components of data security, the first step is to know who the provider actually is and how much control they have over the environment where your data sits.
“When an agency wants a virtual assistant it’s critical to go through a reputable supplier that is incorporated in the country of origin and has the business setup in the country of origin,” she said.
According to Ms Bowtell, it’s critical that real estate businesses are careful about how many contractors have access to their sensitive information.
“The smaller the footprint of the party vs party vs party, the better,” she said.
“Something I’ve been telling people for a long time is to be very careful about how many people have access to your data.
“You need to bring it back to accountability and control.”
Ms Bowtell said all third-party contractors, especially virtual assistants, are required to sign contracts, undergo rigorous training and education as well having strict policies on the use of personal devices such as computers, mobile phones and office access.
Harcourts Australia Chief Executive Officer, Adrian Knowles said when acknowledging the breech last week that Harcourts understood people would be deeply upset and concerned about the recent data breach.
“I would like to offer our sincere apologies to everyone who has been inconvenienced as a result,” Mr Knowles said.
“Dealing with this incident is our top priority. We are working together with the franchisee to ensure that all impacted individuals are advised of the incident.
“In addition, we are in the process of establishing complimentary credit monitoring and access to the IDCARE support service for impacted individuals.
“We have acted decisively to implement a comprehensive external investigation as well as a review of our systems and processes firm wide. We have also notified the Privacy Commissioner of this breach.
“This investigation is still underway and if our understanding of the impacts changes in any way we will make this clear,” he said.
Senior research fellow from the University of NSW City Futures Research Centre, Dr Chris Martin said real estate businesses, in particular property managers, were already collecting far more personal and financial information than they should be.
“It’s a big risk if all that information falls into the wrong hands,” Dr Martin said.
“Tenancy laws in most states and territories place few restrictions on what agents can collect.
“Questions about source of income, social security recipient status, and whether you’ve applied for social housing can be used to deny you a tenancy, and it’s not unlawful and not regulated in any jurisdiction.”
Dr Martin said one solution would be the development of a standardised application with pre-set questions, which excludes unreasonable, intrusive, and risky questions.
“The fact that it always happens that way — that it’s landlords and agents extracting more and more from tenants — shows how asymmetric the relationship is and why we need stronger residential tenancy laws,” he said.
Stockdale & Leggo Chief Executive Officer Charlotte Pascoe said the real estate industry had to be careful in the wake of the damaging attack.
“It is everyone’s responsibility to keep data safe,” Ms Pascoe said.
“It’s scary how advanced hacking has become — so, now more than ever, we have to be aware of how forgetting to turn something off could end in someone breaking into our entire digital ecosystem.”
Ms Pascoe said every staff member in the Stockdale & Leggo network had been advised to take extra precautions to ensure cyber security as a result.
“We have to use this as an opportunity to educate and upskill staff across our offices,” she said.
“We have asked every director in our organisation to go through and update their security processes for their technology ecosystems, and we have asked everyone within the organisation to take today to ensure they are protecting the businesses, and the data.”