How an Aussie real estate software firm handled its first hack

Australian real estate software provider Inspect Real Estate recently fell victim to a phishing attack on its online tenancy system, but a lack of similar cases in the industry meant the firm was forced to essentially write the manual on dealing with a breach.

Andrew Reece

In early October, IRE was alerted to a phishing attempt that went out to 80 email addresses of clients that use its online platform for managing rental property enquiries.

IRE counts the likes of LJ Hooker, Ray White, First National and WA firm Realmark among its 900 A/NZ customers.

"When you make an enquiry to a real estate agent they respond using their email, so [the attackers] just sent an email to the agent, the agent has responded, and they'd take a stab that they were Inspect clients," IRE co-owner Andrew Reece told iTnews.

IRE quickly jumped on its email server logs and narrowed down the phishes that had been successful to six email addresses within six firms, and changed the passwords on the accounts to lock the attackers out within an hour.

However within that time, the attackers were able to view the names, emails and mobile phone numbers of prospective renters, as well as the address they were enquiring after. 

Reece told iTnews the attackers had not exported any of the details and were unlikely to have viewed more than 800 records per firm in the minutes they were in the system.

The difficult question was what to do next. Reece and and his team had never dealt with a security breach of this type before, and had scant similar cases in the industry to refer to.

This meant that while IRE notified its property firm customers as soon as the attack happened, the firms themselves only starting notifying their rental enquirers this week.

"We didn't realise that someone would try to gain access to our clients, so we had to develop systems and processes when it occured," Reece told iTnews.

"So we hired a full-time security guy [security officer Michael Quinn] and numerous security consultants and put together an information pack for our clients, and spoke to a lot of people and engaged a solictor on a nearly full-time basis.

"Then we asked ourselves, who do you contact? We found out we had to contact the AFP, so we contacted them, and we contacted the OAIC for advice.

"For the property industry, there's not a manual on this."

Additionally, the company was later hit by a second round of phishing attacks while trying to shore up its security from the first.

IRE was in the process of sending out emails notifying its clients of the breach and warning them to change passwords which the wily attackers took full advantage of, crafting a phishing email in the same vein.

"It was surprisingly real," Reece said. He received the second phishing email while in a meeting with his security consultants, reading about how Qantas deals with phishing attacks.

"What we've learnt in the last eight weeks has been quite amazing."

Reece and IRE are using the breach as a way to get the company's clients to look more seriously at their security practices while bolstering its own.

"[The breach] enables us to, when we talk to a client, use examples like this to convince them to improve their security," Reece said. New clients now get sent an information pack on phishing.

"We've also upgraded everybody's passwords, introduced two-step verification, allowed users to be locked to only one IP address - which is a bit of a pain for some clients because tenants might want to browse on their phone and PC, but clients are happy to do that because security is so important."

IRE is also tracking enquiries so it can shut down single email addresses that appear to be applying for properties across different cities. According to Reece this is a flag for a malicious actor, as most people only ever look in one suburb or several nearby. 

Data breach notifications 

Part of the difficulty for Reece was not knowing exactly who he was required by law to contact.

"The law at the moment doesn't explictly say you have to inform customers," he said.

He's looking forward to the proposed introduction of mandatory data breach notification laws across the country to provide more clarity about a company's obligations.

The government released its exposure draft for its proposed mandatory data breach notification scheme earlier this month.

It would require organisations who suffer a serious breach to notify customers and the Privacy Commissioner as soon as they become aware of the incident, with potential fines for those who don't meet their obligations.

"It removes the grey area. When it is law you can say to clients 'you must send this out, it's the law'. When it's only advised it's much harder," Reece said.

"It'll bring clarity and rules to this area. We're definitely not going to be alone with this, it's going to become more and more relevant."