National e-conveyancing platform PEXA has asked its security team to run “detailed monitoring” across all accounts after a conveyancer was allegedly hacked and property settlement funds rerouted.
Fairfax Media reported late Friday that a Melbourne family had lost $250,000 from the sale of their home after the funds were stolen while transiting via the PEXA platform.
PEXA - whose shareholders are state governments and major banks, among others - was established in 2010 to deliver a single, national e-conveyancing system.
It is designed to enable lawyers, conveyancers and financial institutions to lodge documents with land registries and complete financial settlements electronically.
According to Fairfax, the family lost their money after unknown hackers gained access to a Victorian conveyancer’s email account, which they were able to use to reset PEXA login credentials and then add themselves to the PEXA account.
PEXA’s acting CEO James Ruddock confirmed in a statement that an “unknown party gained unauthorised access to a practitioner's email account.”
“In this instance, the party intercepted a change-in-password email sent from the PEXA platform to the subscriber, which in turn allowed this person to access the subscriber's PEXA account,” he said.
Once into the conveyancer’s PEXA account, the hacker is alleged to have “fraudulently changed … the destination account details in the settlement schedule” of the Melbourne family.
This enabled the hacker to reroute the settlement funds to a different bank account.
Ruddock said it was up to conveyancers to check that settlement details were correct before digitally signing an electronic transaction.
“Any payment instruction requires you to digitally sign (or re-sign) the financial settlement schedule confirming the account details that you have entered, allowing settlement to proceed,” he advised users.
“Please be conscious of checking the settlement schedule immediately prior to signing to ensure that the information you are signing off on is correct.”
Ruddock said that “verbally confirming bank account details with clients” was one way that PEXA users could reduce their risk profiles.
Other tips he offered included not accessing a PEXA account over “free public wifi” and keeping devices used to log in to PEXA patched.
Ruddock said that the PEXA platform itself “was not hacked” in the incident.
But the company was worried enough about the incident to assign its security team to look for similar instances from across PEXA’s logs.
“The PEXA security team is currently undertaking detailed monitoring of all ‘workspace’ activity, checking for any similar scenarios where passwords have been reset in close succession among a number of other things, which may be considered ‘unusual’ behaviour,” Ruddock said.
“If we find any workspaces or accounts that fall into this category, we will immediately call you to double check if you undertook the activity in question.
“PEXA is also in the process of adding additional security measures,” he said, without elaborating.
Fairfax reported the family still had not managed to recover the funds, and was struggling to find a party in the end-to-end conveyancing process that would accept liability for the incident.
Update, 25/6: PEXA has beefed up its security controls in the wake of the incident. Full story here.