Potentially sensitive customer information allegedly stolen from Melbourne real estate agency Nelson Alexander

A real estate agency in Melbourne experienced a mysterious nighttime theft, with a large amount of sensitive information belonging to tenants and landlords reportedly stolen. Police are currently investigating the incident. It is understood that the Nelson Alexander office in Northcote was broken into around 10:30 pm on October 26th, and five boxes containing information were stolen.

A Victoria Police spokesperson stated that a 40-year-old man from North Fitzroy has been charged with handling stolen goods, and some of the documents have been recovered. The man is scheduled to appear in court early next year. According to the agency, the stolen boxes contained information related to 89 historical tenancy files, which were in the process of being scanned before destruction.

A former Nelson Alexander tenant named Amy said she received an email about the data breach approximately two weeks later. The email warned that detailed information such as names, addresses, phone numbers, dates of birth, tenancy ledgers, and potentially identification documents like driver's licenses may have been stolen. The email also advised her to "carefully review the information affected by this incident and consider whether this may cause you any harm." Amy expressed frustration, adding that she is no longer a Nelson Alexander tenant, making it difficult to determine if any of her information is still valid.

Amy stated that she later realized she had not actually had any dealings with the real estate agency for about eight years. She contacted the agency to inquire about their data retention policy and was informed that they typically retain data for seven years. In Victoria, real estate agencies are required to keep sensitive information for seven years. The Real Estate Institute of Victoria stated that agencies can destroy the materials after this period, but can also retain them with secure storage. To protect Amy's identity, the Australian Broadcasting Corporation used a pseudonym.

Amy said that considering she was also affected by a pathology lab data breach in late 2023, her data may have been compromised twice in about 12 months. "It's frustrating when you receive an email saying your data may have been breached and there doesn't seem to be any consequence," she said, "I'm just frustrated." Nelson Alexander stated that they take data storage very seriously and have self-reported the matter to the federal privacy regulator, the Office of the Australian Information Commissioner. A spokesperson said, "All of our current tenancy data is stored with digital/cloud technology providers with stringent security protocols, complex passwords, multi-factor authentication (MFA) and single sign-on (SSO) where possible." The agency stated that they work with industry providers "to ensure the highest levels of protection for our client data." The police investigation is still ongoing.

In recent years, several real estate agencies have become victims of cyberattacks targeting client information. Privacy advocates say that applying for a lease often requires a large amount of personal information, making this data a valuable target. Samantha Floreani, an advocate for Digital Rights Watch who specializes in real estate data privacy, said, "It's a complete description of someone's life." She believes that "one of the key things that should be done in Victoria and Australia more broadly is to mandate data retention periods to ensure real estate agencies are not holding large amounts of sensitive personal information long term."