What’s your data worth – to someone else?

What do PwC, Latitude Financial, PayPal, Medicare and Optus all have in common?
These are names we all know aren’t they, but do they sound familiar to you for any other reason?
Of course they do, they’re major (mostly Australian) companies, and they’ve all been hacked in the last 12 months, so if the names don’t ring bells with agency owners – and by that I mean major alarm bells – they should be.
Each one of the companies I’ve named above is the custodian of vast amounts of customer data, and each one has been hacked in the last 12 months – as have a number of legal firms, strata management companies and more alarmingly for our profession, so have a number of estate agencies and Property Management firms.
The email they received then demanded a ransom to protect the data stolen and return the security of that data to its rightful owners.
There are plenty of ways these breaches could have happened, and it might not even have been a traditional hack.
These cybercriminals are experts at exploiting weak security measures, taking what they want, and covering their tracks, even the password management firm LastPass has had their security breached and data stolen.
In 2018, the average loss to each Australian small business which was hacked was somewhere in the region of $60,000, and it would be greatly more for the larger ones – that’s a big number isn’t it; but imagine a hacker gained access to your trust account and rather than emptying it immediately, progressively drained it – how much did you say was sitting in there at the moment? Yep, it’s probably a bit more than $60k isn’t it.
Just 3 years later, in 2021, the ACCC put the loss to Australian business from data breaches and hacks at $227,000,000.
So how does this affect us? You might not know the name “Kerasid” so let me introduce you; he was the guy behind the REvil hacker group, and he believes that “Australians are the most stupidest humans alive, and they have a lot of money for no reason, a lot of money and no sense at all.”
As agents and property managers, we are prime targets. We hold a treasure trove of valuable records for our clients, including their personal identification, bank account details, financial records and more. We also handle large sums of money in our trust accounts.
And then last week the notorious cybercrime group “BlackcatV” was the instigator of an attack on another eastern suburbs Melbourne agency along with a property law firm, a strata management company and a pathology firm, and these are just the ones we’re hearing about, there will be plenty of others I’m guessing, that are not reported; so it’s now really a matter of “when”, not “if” for more of us.
These organisations don’t always act immediately either, in a high number of cases they’ll bide their time and “squat” inside your systems for up to 6 months, just watching and learning the patterns and accumulating as much information as they can before they make their move so we need to be incredibly vigilant and continue to upgrade our own defences.
With a number of agencies I’ve visited in my consulting business not having adequate protection, it’s becoming really, patently clear that we’re not just dropping the ball when it comes to protecting our data and that of our clients, we’re actually kicking own goals and almost facilitating its potential release.
Here’s one example – we accept an email instruction or request to make a change to landlord banking details.
Do we call to double check its authenticity?
That’s a recipe for disaster and if our processes are not well-documented, followed diligently, and regularly tested, we’re at even greater risk.
Real estate insurance companies are talking about the rising number of claims related to cybercrimes, and we need to make sure that we have best practice in place – immediately – or face the possibility that any claim we make could be denied and we have to foot the bill ourselves.
Still not scared?
Or are you still thinking “it won’t happen to me”… ?  
Well consider this: we also hold our staff’s personal information, bank account details, superannuation information and tax records, imagine how it’d feel if that information was exposed, and their financial future (and yours) was affected.
Then there’s reputational damage to consider, none of us wants to be “that guy” the agency who’s client files were breached, and having to then go to each of our clients and tell them that their financial situation might be about to be impacted, or worse still, try to minimise the fallout the way that a couple of the large companies have done – the loss of business in an agency setting would probably be close to terminal should we try to cover it up and pretend it wasn’t really that bad for anyone.
It’s time to ask ourselves what we’re doing to protect the people we rely on.
Here are some basic rules I’d recommend that we all follow:
  • Never share logins or passwords – This is one instance where sharing is definitely NOT caring – it puts more people at risk.
  • Use two-factor authentication (2FA) – Make sure you and your teams use 2FA on every platform. It adds an extra layer of security.
  • Use a password manager. eg; NordPass, Dashlane etc, there are plenty of them
  • Train your people well – Educate your teams, train them so that they can spot suspicious emails, and phishing attempts.
  • Make sure you have cyber cover on your insurance.
Remember, you’re only as strong as your weakest point.