Cyber Incident Victim: PH Property

On 15 March 2023, threat actors compromised a staff email account at Victorian real estate agency PH Property Bendigo, leading to a data breach affecting approximately 200 customers. Attackers bypassed existing security protocols including two-factor authentication, randomized passwords, firewall protections, and security software. The intrusion resulted in the theft of four months of data containing client bank details, names, contact information, and identity documentation. The breach was detected when fraudulent communications originating from the compromised email account—associated with a staff member named Kayla—were sent to clients requesting they open malicious attachments. On 29 March, PH Property notified affected clients via email, explicitly warning against interacting with these messages and disclosing that attackers might possess a local copy of Kayla’s entire email account, granting access to all sent and received correspondence. The agency immediately engaged cybersecurity professionals to secure its network and reported the incident to the Office of the Australian Information Commissioner.

PH Property advised clients to monitor bank accounts and update passwords as precautionary measures. Forensic analysis preserved affected devices to maintain evidence for insurance and investigative purposes, with security expert Brenton Johnson emphasizing the importance of retaining compromised hardware rather than wiping it. The incident highlighted heightened risks for small and medium enterprises, with industry data indicating 43% of cyber attacks in 2019 targeted businesses with fewer than 250 employees. FBI statistics from the Internet Crime Complaint Center further supported this trend, documenting 11,000 SME cyber attack reports totaling $217 million in losses prior to this breach. While PH Property’s implemented defenses exceeded typical SME standards, the successful breach demonstrated attackers’ evolving capabilities against multi-layered security architectures.