A leading Australian real estate agency has revealed the simple mistake that led to tenants’ names and addresses being exposed in a cyber attack.
Harcourts Real Estate confirmed its Melbourne City franchisee had fallen victim to hackers after the rental property database was accessed by a third party last month.
In an internal email sent to customers, the franchisee confirmed the confidential information of tenants, landlords, and businesses may have been exposed.
A Harcourts spokesman said the property database was used by the franchisee’s service provider, Stafflink, to provide administrative support.
“In this particular instance the rental property database was used by a representative of Stafflink and accessed by an unknown third party,” the spokesman said.
“We understand the unauthorised access occurred because the representative of Stafflink was using their own device for work purposes rather than a company-issued (and more secure) device.
Harcourts is currently undertaking a comprehensive external investigation with cyber security experts.”
It is not known how many people were impacted by the breach.
Harcourts Australia CEO Adrian Knowles issued a statement apologising for the incident.
“Dealing with this incident is our top priority, we are working together with the franchisee to ensure that all impacted individuals are advised of the incident,” he said.
“In addition, we are in the process of establishing complimentary credit monitoring and access to the IDCARE support service for impacted individuals.”
Mr Knowles said the Privacy Commissioner had been notified of the breach and a review of the company’s systems and processes was also underway.
In an internal email, seen by NCA NewsWire, Harcourts’ Melbourne City branch explained they became aware on October 24 that an “unknown third party” had accessed their rental property database without permission.
The email explained the full legal names, email addresses, addresses, phone numbers, and signatures of tenants were potentially visible.
The bank details of rental providers, landlords, and trades may also have been detectable.
“We are confident that no other personal information was affected,” the email read.
Harcourts explained they had suspended the compromised account and had added new layers of protection to its outgoing EFP payments, data and security settings.
Strict access controls and password policies were also put in place.
The company urged recipients to be aware of any suspicious activity in their online accounts and beware of potential phishing scams.
In September, hackers made off with the information of 10 million current and former customers of telco giant Optus, before dumping the information of 10,0000 customers and bizarrely apologising for the theft.
Health care giant Medibank said criminals had allegedly stolen up to 200GB of data in late October.