1Form (REA Group) Data Breach Notifications
Dear Office of the Australian Information Commissioner,
I would like to see all data breach notifications (including all email correspondence and associated attachments) lodged by or with respect to 1Form (REA-Group), including but not limited to breaches pertaining to:
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management
Yours faithfully,
Warrick Alexander
Our reference: FOIREQ20/00129
Dear Mr Alexander
Freedom of Information request
I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (the FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 16 July 2020.
Scope of your request
In your email you seek access to the following:
I would like to see all data breach notifications
(including all email correspondence and associated attachments) lodged by
or with respect to 1Form (REA-Group), including but not limited to
breaches pertaining to:
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management
In order to process your request as efficiently as possible, I will
exclude duplicates and early parts of email streams that are captured in
later email streams from the scope of this request, unless you advise me
otherwise.
Timeframes for dealing with your request
Section 15 of the FOI Act requires this office to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.
As we received your request on 16 July 2020, we must process your request
by Monday, 17 August 2020.
Disclosure Log
Documents released under the FOI Act may be published online on our
disclosure log, unless they contain personal or business information that
would be unreasonable to publish.
If you would like to discuss this matter please contact me on my contact
details set out below.
Regards
[1][IMG] Megan McKenna | Lawyer
Legal Services
Office of the Australian Information
Commissioner
GPO Box 5218 Sydney NSW 2001 |
[2]oaic.gov.au
+61 2 8231 4292 |
[3][email address]
[4][IMG] | [5][IMG] | [6][IMG] | [7]Subscribe to Information
Matters
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
7. https://aus01.safelinks.protection.outlo...
Our reference: FOIREQ20/00129
Dear Mr Alexander
Freedom of information request no. FOIREQ20/00129
I refer to your request made under the Freedom of Information Act 1982
(Cth) (FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 16 July 2020.
Because your request covers documents which contain information concerning
an organisation’s business or professional affairs and personal
information, the OAIC is required to consult the individuals and
organisations under ss 27 and 27A of the FOI Act before making a decision
on release of the documents.
For this reason, the period for processing your request has been extended
by 30 days to allow time to consult (see s 15(6) of the FOI Act). The
processing period for your request will now end on Wednesday, 16 September
2020.
The consultation mechanisms under ss 27 and 27A apply when we believe the
person or organisation concerned may wish to contend that the requested
documents are exempt for reasons of personal privacy, or may adversely
affect their business or financial affairs. We will take into account any
comments we receive but the final decision about whether to grant you
access to the documents you requested rests with the office of the OAIC.
Regards
[1][IMG] Megan McKenna | Lawyer
Legal Services
Office of the Australian Information
Commissioner
GPO Box 5218 Sydney NSW 2001 |
[2]oaic.gov.au
+61 2 8231 4292 |
[3][email address]
[4][IMG] | [5][IMG] | [6][IMG] | [7]Subscribe to Information
Matters
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
7. https://aus01.safelinks.protection.outlo...
Dear Mr Alexander,
Please find attached a decision in regard to your FOI Application.
Warm Regards
Mark Lindsey-Temple
[1]O A I C logo Mark Lindsey-Temple | Senior
Lawyer
Corporate Services
Office of the Australian
Information Commissioner
GPO Box 5218 Sydney NSW 2001 |
[2]oaic.gov.au
+61 400 005291 |
[3][email address]
[8]Subscribe to
[4]Facebook | [5]LinkedIn | [6]Twitter | [7]Subscribe icon OAICnet
newsletter
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
8. https://aus01.safelinks.protection.outlo...
Dear Office of the Australian Information Commissioner,
Please pass this on to the person who conducts Freedom of Information reviews.
I am requesting an internal review with respect to FOIREQ20/00129.
I kindly request that the following factors be considered in relation to the public interest:
1) the REA Group's realestate.com.au is reported to be Australia's most visited real-estate website [1] and at the time REA acquired its tenancy management platform (1Form) it was reported to have 2.3 million users [2] - a number that is likely far greater today;
2) there appears to be a clear increase in identity theft targetting the real-estate industry with the trend apparent in the OAIC notifications as per OAIC FOI log / reports;
3) there are few resources as rich with personal information that can be sold on the dark web as that of real-estate platforms since they are likely to hold extensive documentation about an individual in a single repository (passports, drivers licenses, residences etc.);
4) the data breach notifications sent by 1Form are in the public domain and were shared with thousands of people - they were publicised by 1Form in its public archive for months;
5) the data breach notifications do not appear to meet requirements as per OAIC guidelines as they appear to contain barely any description of the incident [3];
6) most alarmingly, the 3 data breach notifications appear practically identical, extremely vague, and are a cause for great concern for the Australian public since there may have been a common vulnerability - noting that 3 breaches occurred over a timespan of 9 months with what appears to be the same vague notification;
7) relying solely on the information in the 3 data breaches, I can only conclude that 1Form may be retrospectively confirming identity theft cases once reported by the authorities and notifying tenants of those agencies that it can confirm were affected (rather than all 1Form users that it has reasons to believe may be at risk - as per legislation);
8) it appears that data breach notifications were not sent to all tenants who were on lease applications but only to 1Form account holders - effectively, only one person may have been notified whereas many people may be on a given lease application (this is contra-legislation as in such cases a public service announcement is due); and
9) in summary, there appears to be real risk that documents of millions of Australians may have been compromised and that 1Form may be releasing notifications to the very few tenants of real estate agencies whose accounts it can absolutely confirm were compromised - thereby limiting exposure and leaving tenants at risk.
Finally, I note that my initial request was deemed refused as delivered outside of the statutory timeframe. I also note that OAIC was privy to the 3 notifications and I feel it should have been glaringly obvious that the notifications were inadequate, vague and identical.
Yours sincerely,
Warrick Alexander
[1] http://www.roymorgan.com/findings/6881-d...
[2] https://www.businessinsider.com.au/young...
[3] OAIC Guidelines - Description of the eligible data breach:
https://www.oaic.gov.au/privacy/guidance...
A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.righttoknow.org.au/request/1...
Dear OAIC,
I am forwarding correspondence submitted on the right to know platform by a concerned citizen in relation to this FOI request since it goes to public interest.
----
Eva Mitchell left an annotation (November 11, 2020)
I would like to confirm that I believe I am one of those Australians who's details have been compromised, I have only been made aware via a credit report for a home loan.
I have had multiple credit cards and a personal loan sought in my name using an old address since March 2020. When contacting the providers to report this fraud and trying to establish how this has happened, how they got my driving licence DOB and employment history I was advised that 1form had a data breach recently? This is a scary coincidence given the address used in these applications is an old one that I haven't lived in since 2016 and the real estate agent I was with is one that Warrick has highlighted.
I will be doing my own continued investigation, and following this request/ lodging my own request in due course.
----
Yours faithfully,
Warrick Alexander
Dear Mr Alexander
I refer to you email of 17 October in which you seek internal review of a decision made in FOI request FOIREQ20/00129.
As you have identified in your email, the access refusal decision was to be provided to you on 16 September 2020. Although the access refusal decision provided to you was dated 16 September 2020, it was delivered outside the 30 day statutory timeframe, on 17 September 2020.
This means that the access refusal decision provided to you is taken to have been made under s 15AC of the FOI Act. Section 54E of the FOI Act provides that, where a decision is taken to have been made under s 15AC, internal review is not available.
You have the right to seek review of this decision by the Information Commissioner and the Administrative Appeals Tribunal (AAT).
Alternatively, the OAIC invites you to make a new FOI request for the information you seek to access. If you make a new FOI request, the OAIC will allocate your request to a different decision maker and will notify you of the decision within the statutory timeframe.
Information about how to seek review by the Information Commissioner was included in your access refusal decision letter.
Information about how to make a new FOI request is available on our website here: https://www.oaic.gov.au/about-us/access-....
Please contact me if you have any questions about this email.
Regards
Emma Liddle | Acting Principal Lawyer
Freedom of Information
Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001 | oaic.gov.au
+61 2 9284 9717 | [email address]
-----Original Message-----
From: Warrick Alexander <[FOI #6486 email]>
Sent: Saturday, 17 October 2020 11:55 PM
To: Legal <[email address]>
Subject: Internal review of Freedom of Information request - 1Form (REA Group) Data Breach Notifications
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Dear Office of the Australian Information Commissioner,
Please pass this on to the person who conducts Freedom of Information reviews.
I am requesting an internal review with respect to FOIREQ20/00129.
I kindly request that the following factors be considered in relation to the public interest:
1) the REA Group's realestate.com.au is reported to be Australia's most visited real-estate website [1] and at the time REA acquired its tenancy management platform (1Form) it was reported to have 2.3 million users [2] - a number that is likely far greater today;
2) there appears to be a clear increase in identity theft targetting the real-estate industry with the trend apparent in the OAIC notifications as per OAIC FOI log / reports;
3) there are few resources as rich with personal information that can be sold on the dark web as that of real-estate platforms since they are likely to hold extensive documentation about an individual in a single repository (passports, drivers licenses, residences etc.);
4) the data breach notifications sent by 1Form are in the public domain and were shared with thousands of people - they were publicised by 1Form in its public archive for months;
5) the data breach notifications do not appear to meet requirements as per OAIC guidelines as they appear to contain barely any description of the incident [3];
6) most alarmingly, the 3 data breach notifications appear practically identical, extremely vague, and are a cause for great concern for the Australian public since there may have been a common vulnerability - noting that 3 breaches occurred over a timespan of 9 months with what appears to be the same vague notification;
7) relying solely on the information in the 3 data breaches, I can only conclude that 1Form may be retrospectively confirming identity theft cases once reported by the authorities and notifying tenants of those agencies that it can confirm were affected (rather than all 1Form users that it has reasons to believe may be at risk - as per legislation);
8) it appears that data breach notifications were not sent to all tenants who were on lease applications but only to 1Form account holders - effectively, only one person may have been notified whereas many people may be on a given lease application (this is contra-legislation as in such cases a public service announcement is due); and
9) in summary, there appears to be real risk that documents of millions of Australians may have been compromised and that 1Form may be releasing notifications to the very few tenants of real estate agencies whose accounts it can absolutely confirm were compromised - thereby limiting exposure and leaving tenants at risk.
Finally, I note that my initial request was deemed refused as delivered outside of the statutory timeframe. I also note that OAIC was privy to the 3 notifications and I feel it should have been glaringly obvious that the notifications were inadequate, vague and identical.
Yours sincerely,
Warrick Alexander
[1] https://aus01.safelinks.protection.outlo...
[2] https://aus01.safelinks.protection.outlo...
[3] OAIC Guidelines - Description of the eligible data breach:
https://www.oaic.gov.au/privacy/guidance...
A full history of my FOI request and all correspondence is available on the Internet at this address: https://aus01.safelinks.protection.outlo...
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #6486 email]
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://aus01.safelinks.protection.outlo...
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Dear Ms Liddle,
Thank you for your response.
When can we expect the release of the documents under this FOI request (I note the decision was made two months ago, with 30 days allowed for objections and another 30 for review)?
Yours faithfully,
Warrick Alexander
Eva Mitchell left an annotation ()
I would like to confirm that I believe I am one of those Australians who's details have been compromised, I have only been made aware via a credit report for a home loan.
I have had multiple credit cards and a personal loan sought in my name using an old address since March 2020. When contacting the providers to report this fraud and trying to establish how this has happened, how they got my driving licence DOB and employment history I was advised that 1form had a data breach recently? This is a scary coincidence given the address used in these applications is an old one that I haven't lived in since 2016 and the real estate agent I was with is one that Warrick has highlighted.
I will be doing my own continued investigation, and following this request/ lodging my own request in due course.