KEY POINTS
- Stolen data could be used to withdraw funds, rent properties under false names, and access fraudulent medical treatment.
- Digital rights advocates are calling for real estate agencies to collect fewer data from renters.
Digital rights advocates are calling for real estate agencies to collect fewer data from renters, fearing large-scale breaches of sensitive information.
Many real estate companies ask for a vast amount of personal information from tenants in order for them to secure their rental property, like passport numbers, bank statements, previous addresses, and driver's license numbers.
The Optus data breach impacted close to 10 million Australians, exposing Medicare and passport numbers.
Medibank experienced a similar data breach, where details of patients' operations, among other sensitive information, were held for ransom.
Now the spotlight is on the real estate sector - and some warn it could be next.
What data do real estate agencies have?
To create a tenancy interest application, real estate agencies ask you to provide a certain amount of 'points' to confirm your identification. This usually consists of passport and driver's license numbers, your Medicare number, and other sources of identification.
They also ask for your employers' details, previous addresses, income, bank statements, phone numbers and other sensitive information.
James Clark from Digital Rights Watch told SBS News that due to the high demand for rental properties in Australian cities, renters feel they don't have a choice but to answer the "invasive" questions.
"Real estate agents are collecting and storing a huge amount of personal information," he said.
"Despite how invasive these questions can be, renters don’t feel like they have a meaningful choice but to hand over whatever information that is being asked of them because of the fear of not getting the rental."
How bad would a data breach be?
Mr Clark said a breach in the real estate sector could be worse than the Optus hack.
"Renters should be quite concerned," he said.
"If this data was breached, it would expose even more information about many renters than was exposed in the Optus breach.
"This creates risks of an identity thief, scams and can even threaten the safety of people."
Hackers can use stolen information to demand a ransom from victims, like in the case of the Optus and Medibank breaches.
But they can also use stolen data to commit further crimes such as:
- Using credit card details for fraudulent purchases
- Applying for credit cards or loans in your name
- Accessing retirement funds or other financial accounts
- Using your health insurance to access medical care
- Applying for fraudulent identification such as driver's licenses or passports
- Renting properties in your name
There is also the risk that criminals can commit crimes and use stolen identification when arrested.
What can real estate agencies do to protect sensitive data?
Digital coordinator at Harcourts Huon Valley real estate agency Nicholas Hadrall told SBS News that protections are in place.
"Our data is encrypted by Google, so it's got the best protection in the world," he said.
"And within Google itself, there's a secondary vault, where everything is encrypted. And then there's a Google Vault, which all Google business partners have, which is secondary encryption as well."
Real Estate Institute of Australia (REIA) President Hayden Groves told SBS News there are significant risks for agents who don't follow best practices.
"With data breaches occurring frequently, REIA encourages all Australian real estate agencies to continue reviewing their cybersecurity and privacy policies, if they are not already, for their consumers and their own peace of mind," he said.
"This extends to and includes third-party providers.”
Mr Clark says tougher encryption is not the only answer; rather, he says, agencies shouldn't keep sensitive data unnecessarily.
"The best way to ensure that information isn’t compromised is to not collect or store it in the first place," he said.
"But right now, there is a culture of data hoarding across corporate Australia where companies keep data just in case it could become valuable to them later.
"But our personal data doesn’t belong to these companies, and we need regulation that ensures that all companies, including real estate agencies, only collect and store what is absolutely necessary - for only as long as necessary."
A spokesperson for the Real Estate Institute of Victoria (REIV) said it encourages agencies to contact it for cyberattack training.
"Although all agencies have their own data breach protection systems in place, the REIV offers education - including webinars - on how to identify and protect against cyberattacks," the spokesperson said.