Data breaches have been rife for some time. But the recent cyber-attacks at such large organisations as Optus and Medicare brought the issue into laser focus. Almost 10 million Australians were impacted by the Optus hack in which Medicare and passport numbers were exposed, while current and former Medibank clients had sensitive information such as health conditions revealed.

Just over a month later it was the real estate industry’s turn when a data breach at the Melbourne city franchise of high-profile agency Harcourt’s drove home the importance of cyber safety for every property agent and business across the country.

Ignorance no defence

Now real estate agencies in all sectors are being warned by regulators and industry bodies that ignoring cyber safety or cutting corners is not an option. Executive Director of cybersecurity at leading consultancy KordaMentha Tony Vizza said commercial property agencies needed to recognise they were among prime targets for hackers and prioritise cybersecurity as the chief way of protecting client confidentiality and maintaining business integrity.

“Commercial property agencies are particularly attractive to cyber criminals due to the sensitivity of the negotiations and contractual agreements involved,” Mr Vizza said, adding that it was especially important for commercial agents to make sure financial transactions took place securely and were also trackable.

While cybersecurity is a complex business, many occur via simple means and basic mistakes made by employees such as clicking on suspicious links. This was the scenario in the Harcourts case in which it was found that hackers had accessed the agency’s rental property database and exposed an unknown number of tenant’s and landlord’s names and addresses.

Simple mistakes

According to Harcourts the breach occurred when an employee at its service provider Stafflink was using the franchise’s property database to deliver administrative support.

“In this particular instance the rental property database was used by a representative of Stafflink and accessed by an unknown third party,” the spokesman said.

“We understand the unauthorised access occurred because the representative of Stafflink was using their own device for work purposes rather than a company-issued (and more secure) device.” Harcourts has since launched a comprehensive external investigation with cyber security experts, the spokesman said. 

Following news of the Harcourts breach The Real Estate Institute of Australia (REIA) weighed in to issue with a broad-based warning for the industry and a 12-point check list that principals could use to quickly check the strength of their digital systems.

Cyber health checklist

REIA President Hayden Groves said data breaches were occurring too frequently for any agency to ignore the very real risk of becoming a target for hackers looking to steal large volumes of data and divert payments by infiltrating high-value transactions.

"The REIA encourages all Australian real estate agencies to continue reviewing their cybersecurity and privacy policies if they are not already, for their consumers and their own peace of mind," he said.

"This extends to and includes third-party providers.” The checklist steps are:

  • Do not share passwords
  • Use a password keeper and generator app
  • Change default credentials of the point-of-sale controller
  • Install software updates promptly 
  • Work with vendors to ensure they follow the same guidelines 
  • Keep the back-up schedule consistent and maintain off-line back-ups
  • Ensure built-in firewalls are switched on for user devices 
  • Ensure all devices in your business have antivirus software coverage 
  • Ensure computers used for financial transactions are not used for social media or email 
  • Use email services that incorporate phishing and pretexting defences 
  • Develop a cyber security incident response plan

Email warning

The Australian Cyber Security Centre (ACSC) has also stepped up warnings to the property industry, naming the sector a top target for the key emerging threat of business email compromise (BEC) in its recently released Annual Cyber Threat Report. The report states that “in 2021–22, cybercrimes directed at individuals, such as online banking and shopping compromise, remained among the most common, while Business Email Compromise (BEC) trended towards targeting high value transactions like property settlements.

“Investigations into BEC suggest property settlements are being targeted. This is likely due to the high value of transactions. Property prices increased further during the coronavirus pandemic and digital settlement methods became more entrenched, making property transactions an attractive target. Despite the best efforts of law enforcement agencies, only a small fraction of BEC financial losses are ever recovered.”

Handy links

 ACSC Annual Cyber Threat Report, July 2021 to June 2022 |

Cyber advisory (