'Loophole' lender rushes to deal with sensitive data exposure
RealtyAssist is said to be embroiled in discussions with real estate firms after a large amount of customer data was brought into the public domain.
Among the details allegedly available online include customer names, mobile phone numbers, email addresses - and in some cases, entire property contracts, The Australian reported on Tuesday evening.
The real estate services provider, based in Perth, has reportedly declined to answer questions about the data leak, how it was being managed and whether its security systems had been strengthened.
The privacy breach allegations come days after reports emerged claiming that the real estate services provider has been exploiting a legal loophole. According to The Australian, RealtyAssist is marketing vendor loans of up to $5m for an initial period of up to 60 days, despite not holding an Australian Credit Licence. Its lawyers refuted any wrongdoing, saying under Section 58, exemptions apply for short-term lending for loan terms of under 62 days.
ASIC declined to comment on whether it was investigating any complaints, the publication reported. RealtyAssist said in a statement that it was not aware of any complaints about received by ASIC, and that it would take any such complaints or any investigation, “very seriously”.
Read next: Unlicensed provider ‘using loophole’ to offer loans up to $5m
The data leak, and potential privacy breach, has raised questions about the robustness of RealtyAssist’s technology and data security systems. The data reportedly included a number of customers’ DocuSign Envelope ID numbers, which refer to the electronic signing transaction for a particular document.
RealtyAssist works with real estate firms such as The Agency, Century 21, LH Hooker, Laing+Simmons, SLP Agency and Absolute Estate Agent, says The Australian.
According to the newspaper, The Agency confirmed on Tuesday it would investigate how data relating to some of its customers became available online. A spokesman for The Agency said the firm was aware of media reports circulating about the potential release of some of its client information, some of which it said may relate to clients in Australia.
“We have in place stringent data control measures to maintain and secure all client and operational data. We also work closely with all third parties with whom we or our clients engage to try to ensure they meet our standards in this area,” the spokesman said.
The Agency said it would investigate and should it identify an issue or perceived issue, it would collaborate with the parties involved to ensure security of client data was maintained.
A spokeswoman for LH Hooker reportedly said the agency’s offices were independently owned and operated, adding that the transaction data held by its corporate office is regarded with “the utmost importance”.
“To ensure the protection of data and third-party integrations, LJ Hooker … proactively engages a third-party cyber security organisation to conduct thorough and deep audits on a regular basis,” the LH Hooker spokeswoman said.
Read next: Funding.com.au enjoys record loan book growth
Other real estate firms with customer data that may have been exposed include Century 21 and Laing+Simmons, both of which would not comment on the data release when approached by The Australian.
The cache of data reportedly accessed and archived from RealtyAssist back-end systems included customer service agreements, a sales and inspection report, and transfer receipts for holding deposits on property sales.
One of the transfer receipts, for an amount of $143,500, was reportedly dated May 2022 and was for a property in NSW. Another document is said to have shown an agreement for $78,000, loan to a vendor selling a property in Toowong.
Other documentation said to have been included in the data leak were detailed invoices and fee agreements for customers paying property marketing fees in instalments, under buy now, pay later arrangements.
