Data rights advocates warn real estate sector security breach would be chaos

Many real estate companies ask for a vast amount of personal information from tenants in order for them to secure their rental property, like passport numbers, bank statements, previous addresses, and driver's license numbers. Digital rights advocates are now pushing for real estate agencies to collect fewer data from renters, fearing large-scale breaches of sensitive information.

In an SBS News interview with James Clark from Digital Rights Watch, due to the high demand for rental properties in Australian cities, renters feel they don’t have a choice but to answer the “invasive” questions.

“Real estate agents are collecting and storing a huge amount of personal information.

“Despite how invasive these questions can be, renters don’t feel like they have a meaningful choice but to hand over whatever information that is being asked of them because of the fear of not getting the rental,” Clark added.

Providing a certain amount of “points” to confirm identification is required for real estate agencies to create a tenancy interest application. Sensitive information like employers’ details, previous addresses, income, bank statements, phone numbers are also requisites along with passport and driver’s licence numbers, Medicare number, and other sensitive, identifying information.

Clark noted that a breach in the real estate sector could be worse than the massive Optus data breach that impacted almost 10 million Aussies.

“Renters should be quite concerned.

“If this data was breached, it would expose even more information about many renters than was exposed in the Optus hack.

VIEW ALL

“This creates risks of an identity thief, scams and can even threaten the safety of people,” Clark warned.

Hackers can use stolen information to demand a ransom from victims and use stolen data to commit crimes like:

• Using credit card details for fraudulent purchases.
• Applying for credit cards or loans in your name.
• Accessing retirement funds or other financial accounts.
• Using your health insurance to access medical care.
• Applying for fraudulent identification such as driver’s licences or passports.
• Renting properties in your name.
• There is also the risk that criminals can commit crimes and use stolen identification when arrested.

Opposition Leader Peter Dutton encouraged businesses and individuals to use the resources on offer through the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) to better protect themselves.

“I would encourage people to visit those websites, just to get the patches, the upgrades, the updates and for the government to continue that messaging,” Dutton said.

The government was missing the mark Dutton added on making sure people knew where they could go and what they could do to protect themselves.

“Nobody is actually providing this support and this messaging out to the community, and it is important that people just take the basics and upgrade your passwords to something that is not predictable. Do it regularly."

“Make sure that the software upgrades are installed as you receive them on your phone on your devices," Dutton said.

According to Hayden Groves, Real Estate Institute of Australia (REIA) president, there are significant risks for agents who don’t follow best practices.

“With data breaches occurring frequently, REIA encourages all Australian real estate agencies to continue reviewing their cyber security and privacy policies, if they are not already, for their consumers and their own peace of mind.

“This extends to and includes third-party providers,” Groves said in an interview with SBS News.

Stolen data could be used to withdraw funds, rent properties under false names, and access fraudulent medical treatment.

Clark notes that tougher encryption is not the only answer, but agencies shouldn’t keep sensitive data unnecessarily.

“The best way to ensure that information isn’t compromised is to not collect or store it in the first place.

“But right now, there is a culture of data hoarding across corporate Australia where companies keep data just in case it could become valuable to them later.

“But our personal data doesn’t belong to these companies, and we need regulation that ensures that all companies, including real estate agencies, only collect and store what is absolutely necessary — for only as long as necessary,” Clark said.

A spokesperson for the Real Estate Institute of Victoria (REIV) has also asserted that the organisation encourages agencies to contact it for cyber attack training.

“Although all agencies have their own data breach protection systems in place, the REIV offers education — including webinars — on how to identify and protect against cyber attacks,” the REIV spokesperson said.

[Related: Australia “behind the eight ball”, Cyber Security Minister Clare O’Neil says]

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.