Cyber Incident Victim: Harcourts
Date:
Oct 2022
Location:
Australia
Summary
A real estate agency experienced a data breach when an unauthorized third party accessed its rental property database via a compromised account at service provider Stafflink, attributed to an employee using a personal device instead of a secured company-issued device. Exposed information included tenants' full names, email and home addresses, phone numbers, signatures, photo identification, and landlords' and tradespeople's bank details. The agency promptly revoked the compromised account's access, implemented enhanced security measures such as stricter access controls and payment protections, and initiated an external investigation. Affected individuals were notified and offered complimentary credit monitoring and identity support services, while regulators were informed. Cybersecurity advocates highlighted risks of identity theft and emphasized systemic vulnerabilities in real estate data collection practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 24, 2022, Harcourts Real Estate’s Melbourne City franchisee discovered unauthorized access to its rental property database by an unknown third party. The breach occurred when a representative of Stafflink, a service provider handling administrative support for the franchisee, used a personal device for work purposes instead of a company-issued, more secure device. This compromised account allowed the third party to access sensitive information stored in the database, which was not owned or operated by Stafflink. Harcourts promptly revoked access to the affected Stafflink account upon detection but acknowledged that the attacker potentially viewed data during a "short window of time." Exposed tenant information included full legal names, email addresses, home addresses, phone numbers, copies of signatures, and photo identification submitted during rental applications. Landlords, rental providers, and tradespeople had their full legal names, email addresses, addresses, phone numbers, signatures, and bank details potentially compromised. Harcourts suspended the compromised account, implemented stricter access controls and password policies, and added enhanced security layers to outgoing EFP payments and data settings. CEO Adrian Knowles issued a public apology, notified the Privacy Commissioner, and initiated an external investigation with cybersecurity experts. The company also arranged complimentary credit monitoring and IDCARE support services for affected individuals while reviewing internal systems and processes.
Digital rights advocates had warned about risks in the real estate sector prior to the breach, noting that excessive data collection practices could lead to severe consequences. Samantha Floreani of Digital Rights Watch emphasized that the exposed data types—particularly combinations of signatures, IDs, and bank details—heightened risks of identity theft and financial fraud, especially if attackers cross-referenced information from other breaches like Optus or Medibank. Tenancy law expert Chris Floreani and others criticized the industry’s routine collection of unnecessary personal details, including social media profiles and children’s information, advocating for regulatory reforms to address privacy gaps. The incident highlighted concerns about power imbalances in rental applications amid Australia’s housing crisis, where tenants often feel compelled to provide excessive personal data. Harcourts confirmed no additional information beyond the specified categories was affected and urged impacted individuals to monitor for suspicious activity and phishing attempts. The breach underscored systemic vulnerabilities in third-party vendor management and device security protocols within the real estate sector.