On Tuesday, The Australian reported sensitive customer details managed by RealtyAssist relating to a large number of property transactions were publicly available, exposing lax security practices at the company.

RealtyAssist counts real estate agencies around the country as customers providing them with invoicing and a range of other services. Its customers include The Agency, Century 21, LJ Hooker, Laing+Simmons, SLP Agency and Absolute Estate Agents.

The Agency on Tuesday confirmed the firm would investigate how some of its customer data became available online.

“We are aware of media reports regarding RealtyAssist Australia and the potential release of its some of its client information, some of which may relate to Agency Australia clients,” a spokesman said.

“We have in place stringent data control measures to maintain and secure all client and operational data. We also work closely with all third parties with whom we or our clients engage to try to ensure they meet our standards in this area.

“The Agency will investigate this matter and should an issue, or perceived issue, arise we are committed to working closely with those involved to ensure the security of our client data continues to be maintained and is not put at risk.”

An LJ Hooker Corporate spokeswoman said the agency’s offices were independently owned and operated, but added that the safety of property transaction data was important.

“The transactional data held by LJ Hooker Corporate is regarded with the upmost importance,” she said. “To ensure the protection of data and third-party integrations, LJ Hooker … proactively engages a third-party cyber security organisation to conduct thorough and deep audits on a regular basis.”

The trove of information available online – included customer names, mobiles, email addresses and in some cases entire property contracts – raised serious questions about the robustness of RealtyAssist’s technology and data security systems.

The data leak also included in a number of customers’ DocuSign Envelope ID numbers, which reflect a permanent reference to the electronic signing transaction for a particular document.

Perth-based RealtyAssist declined to respond to questions about how it was managing the data leak and whether it had fortified its security systems.

Other realtor groups whose customers’ data may have been exposed – including Century 21 and Laing+Simmons – have not commented on the data release.

The cache of data accessed – and archived – from RealtyAssist’s back-end systems included detailed customer service agreements, a sales and inspection report and transfer receipts for holding deposits on property sales.

The Australian reported on Tuesday that one of the transfer receipts – via real-time payments platform Osko – was dated May 2022 for a property in NSW and totalled $143,500. Another document showed an agreement for $78,000 loaned to a vendor selling a house in Toowong.

Other documents included detailed invoices and fee agreements for customers choosing to enter contracts to pay property marketing costs in instalments, under buy now, pay later arrangements.

Among RealtyAssist’s products is a service that allows vendors of homes and apartments to pay marketing costs in instalments. It has partnered with Domain Holdings on that service.

Rival providers of similar pay later products include MoneyMe and CampaignAgent.

The company offers short-term loans of up to $5m in that manner and does not have a credit licence. On Sunday, RealtyAssist said that was within the scope of exemptions to the National Credit Code. The code specifies to be exempt from legal obligations short-term credit should not exceed 62 days, and there are limits to the amount of interest charged. The Australian Securities & Investments Commission is understood to be investigating complaints about those arrangements.

News Corp – publisher of The Australian – owns a stake in Domain’s competitor REA Group, which in turn holds a strategic investment in CampaignAgent.

More Coverage

Lax security: RealtyAssist loan details online

Joyce Moullakis and Kylar Loussikian

Weeks had talks with former Star chair

KYLAR LOUSSIKIAN

Originally published as RealtyAssist locked in crisis talks over data breach