1Form (REA Group) Data Breach Notifications

Warrick Alexander made this Freedom of Information request to Office of the Australian Information Commissioner

Waiting for an internal review by Office of the Australian Information Commissioner of their handling of this request.

From: Warrick Alexander

Delivered

Dear Office of the Australian Information Commissioner,

I would like to see all data breach notifications (including all email correspondence and associated attachments) lodged by or with respect to 1Form (REA-Group), including but not limited to breaches pertaining to:

- Shead Property
- Raine and Horne Green Square
- Metropole Property Management

Yours faithfully,

Warrick Alexander

Link to this

From: Megan McKenna
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download


Our reference: FOIREQ20/00129

Dear Mr Alexander

Freedom of Information request

I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (the FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 16 July 2020.

Scope of your request

In your email you seek access to the following:

                I would like to see all data breach notifications
(including all email correspondence and associated attachments) lodged by
or with respect to 1Form (REA-Group), including but not limited to
breaches pertaining to:

 

- Shead Property

- Raine and Horne Green Square

- Metropole Property Management

 

In order to process your request as efficiently as possible, I will
exclude duplicates and early parts of email streams that are captured in
later email streams from the scope of this request, unless you advise me
otherwise.

Timeframes for dealing with your request

Section 15 of the FOI Act requires this office to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.

As we received your request on 16 July 2020, we must process your request
by Monday, 17 August 2020.

Disclosure Log

Documents released under the FOI Act may be published online on our
disclosure log, unless they contain personal or business information that
would be unreasonable to publish.

If you would like to discuss this matter please contact me on my contact
details set out below.

Regards

 

[1][IMG]   Megan McKenna |  Lawyer

Legal Services

Office of the Australian Information
Commissioner

GPO Box 5218 Sydney NSW 2001  |
 [2]oaic.gov.au

+61 2 8231 4292  | 
[3][email address]
[4][IMG] | [5][IMG] | [6][IMG] |   [7]Subscribe to Information
Matters

 

 

show quoted sections

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
7. https://aus01.safelinks.protection.outlo...

Link to this

From: Megan McKenna
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download


Our reference: FOIREQ20/00129

Dear Mr Alexander

Freedom of information request no. FOIREQ20/00129

I refer to your request made under the Freedom of Information Act 1982
(Cth) (FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 16 July 2020.

Because your request covers documents which contain information concerning
an organisation’s business or professional affairs and personal
information, the OAIC is required to consult the individuals and
organisations under ss 27 and 27A of the FOI Act before making a decision
on release of the documents.

For this reason, the period for processing your request has been extended
by 30 days to allow time to consult (see s 15(6) of the FOI Act). The
processing period for your request will now end on Wednesday, 16 September
2020.

The consultation mechanisms under ss 27 and 27A apply when we believe the
person or organisation concerned may wish to contend that the requested
documents are exempt for reasons of personal privacy, or may adversely
affect their business or financial affairs. We will take into account any
comments we receive but the final decision about whether to grant you
access to the documents you requested rests with the office of the OAIC.

Regards

 

 

[1][IMG]   Megan McKenna |  Lawyer

Legal Services

Office of the Australian Information
Commissioner

GPO Box 5218 Sydney NSW 2001  |
 [2]oaic.gov.au

+61 2 8231 4292  | 
[3][email address]
[4][IMG] | [5][IMG] | [6][IMG] |   [7]Subscribe to Information
Matters

 

 

show quoted sections

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
7. https://aus01.safelinks.protection.outlo...

Link to this

From: Mark Lindsey-Temple
Office of the Australian Information Commissioner


Attachment image001.jpg
2K Download

Attachment image002.png
0K Download

Attachment image003.png
0K Download

Attachment image004.png
0K Download

Attachment image005.png
0K Download

Attachment Mr Alexander Access Refusal.pdf
201K Download View as HTML


Dear Mr Alexander,

 

Please find attached a decision in regard to your FOI Application.

 

 

 

Warm Regards

Mark Lindsey-Temple

 

[1]O A I C logo   Mark Lindsey-Temple  |  Senior
Lawyer

Corporate Services

Office of the Australian
Information Commissioner

GPO Box 5218 Sydney NSW 2001  |
 [2]oaic.gov.au

+61 400 005291  | 
[3][email address]
[8]Subscribe to
[4]Facebook | [5]LinkedIn | [6]Twitter |   [7]Subscribe icon OAICnet
newsletter

 

 

show quoted sections

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
8. https://aus01.safelinks.protection.outlo...

Link to this

From: Warrick Alexander

Delivered

Dear Office of the Australian Information Commissioner,

Please pass this on to the person who conducts Freedom of Information reviews.

I am requesting an internal review with respect to FOIREQ20/00129.

I kindly request that the following factors be considered in relation to the public interest:

1) the REA Group's realestate.com.au is reported to be Australia's most visited real-estate website [1] and at the time REA acquired its tenancy management platform (1Form) it was reported to have 2.3 million users [2] - a number that is likely far greater today;

2) there appears to be a clear increase in identity theft targetting the real-estate industry with the trend apparent in the OAIC notifications as per OAIC FOI log / reports;

3) there are few resources as rich with personal information that can be sold on the dark web as that of real-estate platforms since they are likely to hold extensive documentation about an individual in a single repository (passports, drivers licenses, residences etc.);

4) the data breach notifications sent by 1Form are in the public domain and were shared with thousands of people - they were publicised by 1Form in its public archive for months;

5) the data breach notifications do not appear to meet requirements as per OAIC guidelines as they appear to contain barely any description of the incident [3];

6) most alarmingly, the 3 data breach notifications appear practically identical, extremely vague, and are a cause for great concern for the Australian public since there may have been a common vulnerability - noting that 3 breaches occurred over a timespan of 9 months with what appears to be the same vague notification;

7) relying solely on the information in the 3 data breaches, I can only conclude that 1Form may be retrospectively confirming identity theft cases once reported by the authorities and notifying tenants of those agencies that it can confirm were affected (rather than all 1Form users that it has reasons to believe may be at risk - as per legislation);

8) it appears that data breach notifications were not sent to all tenants who were on lease applications but only to 1Form account holders - effectively, only one person may have been notified whereas many people may be on a given lease application (this is contra-legislation as in such cases a public service announcement is due); and

9) in summary, there appears to be real risk that documents of millions of Australians may have been compromised and that 1Form may be releasing notifications to the very few tenants of real estate agencies whose accounts it can absolutely confirm were compromised - thereby limiting exposure and leaving tenants at risk.

Finally, I note that my initial request was deemed refused as delivered outside of the statutory timeframe. I also note that OAIC was privy to the 3 notifications and I feel it should have been glaringly obvious that the notifications were inadequate, vague and identical.

Yours sincerely,

Warrick Alexander

[1] http://www.roymorgan.com/findings/6881-d...

[2] https://www.businessinsider.com.au/young...

[3] OAIC Guidelines - Description of the eligible data breach:
https://www.oaic.gov.au/privacy/guidance...

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/1...

Link to this

Things to do with this request

Anyone:
Office of the Australian Information Commissioner only: