Privacy advocates are calling for an overhaul of the way renters’ personal information is stored after real estate firm Harcourts Melbourne City revealed that a recent cyber attack may have compromised identity documents and other details of its clients and their tenants.

The firm, which manages a broad range of Melbourne city apartment blocks and boutique buildings, informed clients and tenants that a third-party cyberattack on its rental property database “resulted in some of your personal information being potentially accessed by the third party.”

The platform “holds certain personal information” about landlords, tenants, and supporting trades, Harcourts explained, including contact details, a copy of the client’s signature, bank details, and copies of photo identification supplied as part of tenancy arrangements.

Harcourts has blamed the breach on the compromise of an account of an employee of real estate service provider StaffLink, which provides property and task management software to help real estate agents run more efficiently.

Based on the company’s description of events, an employee account was compromised after an employee used a personal device for work purposes, rather than using their more secure company-issued device – allowing a cyber criminal access to Harcourts personal data.

Harcourts moved quickly to suspend the affected employee account, changing passwords and adding multi-factor authentication as well as improving password policies, implementing “strict access controls on all accounts”, and adding a new layer of protection to raise alerts when any “critical details or settings” are changed; and more.

In an email to clients and renter, Harcourt said, “importantly, our networks, accounts and your personal information are now all secure and our services are able to continue as normal”.

StaffLink has denied responsibility, and is said to be meeting with Harcourts to discuss the incident and its remediation.

How much data is too much?

News of the breach comes days after Nicholas Hadrall, digital coordinator at Harcourts in Huon Valley, told SBS News that the use of Google encryption and “a Google Vault” meant that firm had “the best protection in the world” – highlighting an industry approach to security that privacy advocates say is inadequate given the sensitive information that is routinely collected by real estate firms.

A large-scale cyber security breach in the real estate industry would be “devastating”, UNSW City Futures Research Centre senior research fellow Dr Chris Martin recently warned, noting that agents are “collecting a lot more personal information, with arguably not a whole lot of purpose behind it” and flagging a lack of transparency about how personal data is used and secured.

“The sorts of questions being asked in tenancy applications are getting more intense,” he added, criticising the “unreasonable, intrusive and risky questions landlords and agents may be asking now”.

“Applicants might not want to hand over that level of information because of privacy concerns,” he said, “but they’re in a position where they have little choice.

“It’s a big risk if that information falls into the wrong hands.”

Yet collection of personal data is only part of the problem: many agents retain data for long periods, citing regulatory requirements that require them to retain documents for a period of time for audit purposes – seven years in Victoria, for example, five years in Queensland, and three years in NSW.

Long-term retention of personal data risks creating massive data stores that attract cyber criminals looking for personal information they can sell or exploit for identity theft.

Digital Rights Watch (DRW), for one, has called out a “culture of data hoarding where companies collect too much information ‘just in case’ it may be useful in the future”, and has been campaigning for a range of Privacy Act changes including a focus on data minimisation; a broader definition of ‘personal information’; imposition of a ‘fair and reasonable’ requirement for all forms of data collection; and increased penalties for entities that breach the Act.

The ongoing run of major data breaches in recent weeks – including Optus, Medibank, Woolworths subsidiary MyDeal, ADF contractor ForceNet, and others – has ratcheted up scrutiny of the way personal data is collected and secured.

Amidst industry calls for greater clarity around data collection and security practices, the federal government has mooted new rules and substantially increased penalties – including fines of up to $50 million – for companies that fail to protect their clients’ personal data.