Real estate company Harcourts has revealed it suffered a data breach on October 14, potentially exposing customers' names, addresses and bank details to hackers.
In an email circulated to customers of Harcourts Melbourne City, the company reports it became aware of a cyber attack on October 24.
Harcourts said it was obligated to report the incident to clients under the Privacy Act 1988.
According to the email, the company's rental property database had been accessed by an unknown third party.
Harcourts said the data breach stemmed from its software service provider Stafflink, where the account of one of Stafflink's employees was allegedly compromised and made accessible to third parties.
"We are still investigating the incident but understand it has occurred through the employee using their own device for work purposes rather than the usual (and more secure) company-issued device," the email said.
"As a result, your information may have been visible to the third party for a short window of time."
Stafflink told the ABC it was not at fault for the breach and that it had engaged in a meeting with Harcourts about the incident.
When asked by the ABC about Stafflink's claims, Harcourts chief executive Adrian Knowles declined to comment.
Harcourts said information such as names, addresses, copies of signatures, photo identification and bank details may have been visible to hackers.
The company said it has since revoked access and added new layers of protection since the data breach.
It is not known how many people were impacted by the breach.
Real estate industry's data practices in dire need of reform: digital rights expert
The data breach comes after major cybersecurity incidents at both Optus and Medibank, with millions of Australians potentially affected by breaches.
Digital Rights Watch executive director James Clark said a reckoning for the real estate industry has been a long time coming.
"We've been warning about this for a while that the real estate industry has been collecting far too much information, especially about renters," Mr Clark said.
"When you're collecting as much information as the real estate industry has, unfortunately leaks like this become inevitable."
Mr Clark said renters in particular were put at huge risk with the amount of information they are required to provide to secure a property.
"We have no oversight into how long they're storing that for and what else they're doing with that information," he said.
Mr Clark said the industry seemed arrogant about their cybersecurity protocols and had been found out.
"Harcourts was quoted recently as saying that their digital security is top notch, and unfortunately I think it's quite embarrassing that they are the real estate agency that has had this breach."
The government has proposed to steeply increase penalties for serious or repeated privacy breaches, with reforms flagged for 2023.
Mr Clark said while companies should be able to store information for a "reasonable" period of time, privacy reform was desperately needed in Australia.
"What we really need is a regulator that is really well resourced to oversee this and to make sure that companies are not stretching the definitions of 'reasonable', which we do see now," he said.
