What happened
In late 2023 a Harcourts franchisee’s rental-property database was accessed by an unknown third party. The exposure occurred after a representative of a service provider (Stafflink) used a personal device for work rather than a secured, company-issued one [harcourts-innov]. The database held names, addresses, bank details and signatures of tenants, landlords and tradespeople, and photo identification for prospective renters [harcourts-innov].
Timeline
- 2023-10-24 — The unauthorised access was discovered [harcourts-innov].
- 2023-11 — Harcourts notified affected people and the Office of the Australian Information Commissioner [harcourts-innov].
Current status
Disclosed. Harcourts notified the OAIC. A count of affected individuals was not reported, so no figure is asserted here. This record concerns Harcourts’ Australian operation.
Why it matters
Rental applications concentrate unusually sensitive identity documents — photo ID, bank details, signatures — and a single provider using an unmanaged personal device was enough to expose them.