RealtyAssist brings in external company to review its cyber security

RealtyAssist has appointed a company to examine and recommend changes to its online technology after customer data was made publicly available.

Joyce Moullakis

Medibank investigations reveal no 'customer data' was taken from their system

3 min read

7:44PMOctober 19, 2022.

Updated 7:59PMOctober 19, 2022

The Australian Business Network

RealtyAssist has appointed a cyber security firm to review and recommend “any necessary actions” to its technology processes and systems, after it allowed customer data and details to be made publicly available online.

An email sent by RealtyAssist chief executive Sam Rettke and obtained by The Australian notes the real estate services firm was writing to tell customers of an incident that may have made customer information available on a third-party website.

“The website, WayBack Machine, is a digital archive of the world wide web, and we understand information was accessed through their system and remained archived in their database,” Mr Rettke wrote.

The Australian on Tuesday revealed that a trove of RealtyAssist information was readily available online. It included customer names, mobiles, email addresses, customers’ DocuSign Envelope ID numbers, property deposit receipts and in some cases entire property contracts.

“Upon initial review, we understand that data released affected a small proportion of customers of RealtyAssist from December 2020 to mid-April 2021. For the avoidance of doubt, this information is no longer accessible on WayBack Machine,” Mr Rettke’s email said.

His comments come despite The Australian showing that one of the customer transfer receipts accessible online was dated May 2022, relating to a property in NSW and totalling $143,500.

RealtyAssist’s clients include agency Century 21. Picture: Brenton Edwards

RealtyAssist provides invoice, payment and loan services to real estate agents around the nation. Its customers include The Agency, Century 21, LJ Hooker, Laing+Simmons, SLP Agency and Absolute Estate Agents.

The email sent on Thursday marks the first time RealtyAssist has addressed the matter given the data issue raised questions about its ability to protect sensitive customer information.

“RealtyAssist takes the protection of your data extremely seriously. That’s why, upon being made aware of these reports, RealtyAssist requested that WayBack Machine delete all information related to our customers.

“We can confirm that no identification documents, such as passport or licences, were accessible at any time. Rather, information may have included customer names, mobiles, email addresses and potentially screenshots of loan contracts.

“Importantly, WayBack Machine has confirmed the files were accessed by a very limited number of IP addresses.

“This suggests malicious activity is highly unlikely and at this stage, there is no suggestion that a third-party cyber attacker has been involved in the disclosure of the information.”

Mr Rettke told customers there was “no room for complacency” on the data issues faced by the company and apologised, promising to keep them informed as it audits its systems.

“In addition to stringent security measures already in place, RealtyAssist has appointed a third-party cyber security firm who will conduct a review of the circumstances and recommend any necessary actions,” he wrote.

Information accessed may have included customer names, mobile phone numbers, email addresses and possibly screenshots of loan contracts.

“We are not encouraging you to take any action at this stage.”

RealtyAssist did not respond to a list of questions put to it on Monday asking about its security and data practices and how it kept customer details safe.

The company is also the subject of complaints to the corporate regulator about its lending practices. The Australian Securities & Investments Commission is investigating complaints relating to RealtyAssist relying heavily on exemptions under the National Credit Code.

The company offers short-term loans of up to $5m to property vendors that want an advance on sale proceeds, but does not have a credit licence. On Sunday, RealtyAssist said that was within the scope of exemptions to the National Credit Code. The code specifies to be exempt from legal obligations short-term credit should not exceed 62 days, and there are limits to the amount of interest charged, although the amounts lent are uncapped.

RealtyAssist also provides pay later services for property sellers to pay marketing costs in instalments rather than a lump sum to the real estate agent.

Asked about RealtyAssist’s heavy use of exemptions under the National Credit Code, a spokesman for Financial Services Minister Stephen Jones said: “The government understands ASIC is currently assessing evidence regarding matters raised in the media. As such, it would be inappropriate to comment.

“The government strongly encourages all participants in the credit market to ensure they are compliant with relevant legislation.”

The government has Treasury compiling an issues paper on the buy now, pay later sector and its use of exemptions under the National Credit Code. Consumer advocates and other stakeholders want the exemptions scrapped so those operating in the industry are subject to regulation and responsible lending obligations.

Mr Jones in August outlined that regulation of the local BNPL sector would centre on creating a “level playing field” and not stifling competition among credit providers. He has previously indicated he wants BNPL services treated as a type of loan product and suggested new regulations could be firmed up in the first half of next year.