1Form (REA Group) Data Breach Notifications resubmission

Warrick Alexander (Account suspended) made this Freedom of Information request to Office of the Australian Information Commissioner

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Warrick Alexander (Account suspended)

Dear Office of the Australian Information Commissioner,

My earlier FOI request with the OAIC was deemed refused, as was my request for review under s 54E of the FOI Act - https://www.righttoknow.org.au/request/1...

Instead, the OAIC suggested that a new FOI request would yield a new decision-maker, with the assurance that a decision would be provided within the statutory timeframe.

I kindly propose that any decision should also elaborate with regard to differences in redactions as compared with the initial decision (for the initial request). This will save the public from additional delays (another review expiry) before finding out whether there was any substantive change to the initial decision.

I would like to see all data breach notifications to date (including all email correspondence and associated attachments to date) lodged by or with respect to 1Form (REA-Group), including but not limited to breaches pertaining to:

- Shead Property
- Raine and Horne Green Square
- Metropole Property Management

I kindly request that the following factors be considered in relation to the public interest:

1) the REA Group's realestate.com.au is reported to be Australia's most visited real-estate website [1] and at the time REA acquired its tenancy management platform (1Form) it was reported to have 2.3 million users [2] - a number that is likely far greater today;

2) there appears to be a clear increase in identity theft targetting the real-estate industry with the trend apparent in the OAIC notifications as per OAIC FOI disclosure log / annual reports;

3) there are few resources as rich with personal information that can be sold on the dark web as that of real-estate platforms since they are likely to hold extensive documentation about an individual in a single repository (passports, drivers licenses, residences etc.);

4) the data breach notifications sent by 1Form are in the public domain [3] and were shared with thousands of people - they were publicised by 1Form in its public archive for months;

5) the data breach notifications do not appear to meet requirements as per OAIC guidelines as they appear to contain barely any description of the incident [4];

6) most alarmingly, the 3 data breach notifications appear practically identical, extremely vague, and are a cause for great concern for the Australian public since there may have been a common vulnerability - noting that 3 incidents were reported over a time span of 9 months with what appears to be the same vague notification;

7) relying solely on the information in the 3 data breach notifications, I can only conclude that 1Form may be retrospectively confirming identity theft cases when they are reported by the authorities and notifying tenants of those agencies that it can confirm were affected (rather than all 1Form users as they may be at risk - as per legislation);

8) it appears that data breach notifications were not sent to all tenants who were on lease applications but only to 1Form account holders - effectively, only one person may have been notified whereas many people may be on a given lease application (this is contra-legislation as in such cases a public service announcement is due); and

9) in summary, there appears to be real risk that documents of millions of Australians may have been compromised and that 1Form may be releasing notifications to the tenants of the few real estate agencies whose accounts it can absolutely confirm were compromised - thereby limiting exposure and leaving tenants at risk.

Finally, I also note that OAIC was privy to the 3 data breach notifications and I feel it should have been glaringly obvious that the notifications were inadequate, vague and identical.

Treating 3 identical data breaches as isolated (separate) incidents is unacceptable if (as the identical notifications imply) this is the same vulnerability across the 1Form platform. If we are to rely on merely notifying real estate agencies in response to confirmed crimes as reported by the authorities, then this leaves future victims without notice to protect themselves (as appears to be the case with [5] as submitted on the Right to Know platform) - this defeats the purpose of the Privacy Act.

Yours sincerely,

Warrick Alexander

[1] http://www.roymorgan.com/findings/6881-d...

[2] https://www.businessinsider.com.au/young...

[3] http://www.keepandshare.com/doc5/view.ph...

[4] OAIC Guidelines - Description of the eligible data breach:
https://www.oaic.gov.au/privacy/guidance...

[5] https://www.righttoknow.org.au/request/1...

Legal, Office of the Australian Information Commissioner

1 Attachment

  • Attachment

    Picture Device Independent Bitmap 1.jpg

    0K Download

Dear Warrick Alexander,
Freedom of Information request
I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (the FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 20 December 2020.
Scope of your request
In your email you seek access to the following:
“…all data breach notifications to date (including all email
correspondence and associated attachments to date) lodged by or with
respect to 1Form (REA-Group), including but not limited to breaches
pertaining to:
 
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management.”
Timeframes for dealing with your request
Section 15 of the FOI Act requires this office to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.
As we received your request on 20 December 2020, we must process your
request by 19 January 2021.
Kind regards

Joseph Gouvatsos | Lawyer
Legal Services
[1][IMG]   Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001  |  [2]oaic.gov.au
02 8231 4259 |  [3][email address]
 

 
-----Original Message-----
From: Warrick Alexander <[FOI #6988 email]>
Sent: Sunday, 20 December 2020 1:43 PM
To: Legal <[email address]>
Subject: Freedom of Information request - 1Form (REA Group) Data Breach
Notifications resubmission
 
CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognise the sender and know
the content is safe.
 
 
Dear Office of the Australian Information Commissioner,
 
My earlier FOI request with the OAIC was deemed refused, as was my request
for review under s 54E of the FOI Act -
[4]https://aus01.safelinks.protection.outlo...
 
Instead, the OAIC suggested that a new FOI request would yield a new
decision-maker, with the assurance that a decision would be provided
within the statutory timeframe.
 
I kindly propose that any decision should also elaborate with regard to
differences in redactions as compared with the initial decision (for the
initial request). This will save the public from additional delays
(another review expiry) before finding out whether there was any
substantive change to the initial decision.
 
I would like to see all data breach notifications to date (including all
email correspondence and associated attachments to date) lodged by or with
respect to 1Form (REA-Group), including but not limited to breaches
pertaining to:
 
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management
 
I kindly request that the following factors be considered in relation to
the public interest:
 
1) the REA Group's realestate.com.au is reported to be Australia's most
visited real-estate website [1] and at the time REA acquired its tenancy
management platform (1Form) it was reported to have 2.3 million users [2]
- a number that is likely far greater today;
 
2) there appears to be a clear increase in identity theft targetting the
real-estate industry with the trend apparent in the OAIC notifications as
per OAIC FOI disclosure log / annual reports;
 
3) there are few resources as rich with personal information that can be
sold on the dark web as that of real-estate platforms since they are
likely to hold extensive documentation about an individual in a single
repository (passports, drivers licenses, residences etc.);
 
4) the data breach notifications sent by 1Form are in the public domain
[3] and were shared with thousands of people - they were publicised by
1Form in its public archive for months;
 
5) the data breach notifications do not appear to meet requirements as per
OAIC guidelines as they appear to contain barely any description of the
incident [4];
 
6) most alarmingly, the 3 data breach notifications appear practically
identical, extremely vague, and are a cause for great concern for the
Australian public since there may have been a common vulnerability -
noting that 3 incidents were reported over a time span of 9 months with
what appears to be the same vague notification;
 
7) relying solely on the information in the 3 data breach notifications, I
can only conclude that 1Form may be retrospectively confirming identity
theft cases when they are reported by the authorities and notifying
tenants of those agencies that it can confirm were affected (rather than
all 1Form users as they may be at risk - as per legislation);
 
8) it appears that data breach notifications were not sent to all tenants
who were on lease applications but only to 1Form account holders -
effectively, only one person may have been notified whereas many people
may be on a given lease application (this is contra-legislation as in such
cases a public service announcement is due); and
 
9) in summary, there appears to be real risk that documents of millions of
Australians may have been compromised and that 1Form may be releasing
notifications to the tenants of the few real estate agencies whose
accounts it can absolutely confirm were compromised - thereby limiting
exposure and leaving tenants at risk.
 
Finally, I also note that OAIC was privy to the 3 data breach
notifications and I feel it should have been glaringly obvious that the
notifications were inadequate, vague and identical.
 
Treating 3 identical data breaches as isolated (separate) incidents is
unacceptable if (as the identical notifications imply) this is the same
vulnerability across the 1Form platform. If we are to rely on merely
notifying real estate agencies in response to confirmed crimes as reported
by the authorities, then this leaves future victims without notice to
protect themselves (as appears to be the case with [5] as submitted on the
Right to Know platform) - this defeats the purpose of the Privacy Act.
 
Yours sincerely,
 
Warrick Alexander
 
[1]
[5]https://aus01.safelinks.protection.outlo...
 
[2]
[6]https://aus01.safelinks.protection.outlo...
 
[3]
[7]https://aus01.safelinks.protection.outlo...
 
[4] OAIC Guidelines - Description of the eligible data breach:
[8]https://www.oaic.gov.au/privacy/guidance...
 
[5]
[9]https://aus01.safelinks.protection.outlo...
 
-------------------------------------------------------------------
 
Please use this email address for all replies to this request:
[10][FOI #6988 email]
 
Is [11][OAIC request email] the wrong address for Freedom of Information
requests to Office of the Australian Information Commissioner? If so,
please contact us using this form:
[12]https://aus01.safelinks.protection.outlo...
 
This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:
[13]https://aus01.safelinks.protection.outlo...
 
If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.
 
 
-------------------------------------------------------------------
 

***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
4. https://aus01.safelinks.protection.outlo...
5. https://aus01.safelinks.protection.outlo...
6. https://aus01.safelinks.protection.outlo...
7. https://aus01.safelinks.protection.outlo...
8. https://www.oaic.gov.au/privacy/guidance...
9. https://aus01.safelinks.protection.outlo...
10. mailto:[FOI #6988 email]
11. mailto:[OAIC request email]
12. https://aus01.safelinks.protection.outlo...
13. https://aus01.safelinks.protection.outlo...

hide quoted sections

Legal, Office of the Australian Information Commissioner

1 Attachment

Our reference: FOIREQ20/00245

Dear Mr Alexander

Freedom of information request no. FOIREQ20/00245

I refer to your request made under the Freedom of Information Act 1982
(Cth) (FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 20 December 2020.

Because your request covers documents which contain information concerning
an organisation’s business or professional affairs and personal
information, the OAIC is required to consult the individuals and
organisations under ss 27 and 27A of the FOI Act before making a decision
on release of the documents.

For this reason, the period for processing your request has been extended
by 30 days to allow time to consult (see s 15(6) of the FOI Act). The
processing period for your request will now end on Thursday, 18 February
2021.

The consultation mechanisms under ss 27 and 27A apply when we believe the
person or organisation concerned may wish to contend that the requested
documents are exempt for reasons of personal privacy, or may adversely
affect their business or financial affairs. We will take into account any
comments we receive but the final decision about whether to grant you
access to the documents you requested rests with the office of the OAIC.

Kind regards

 

[1][IMG]   Joseph Gouvatsos | Lawyer

Legal Services

Office of the Australian Information Commissioner

GPO Box 5218 Sydney NSW 2001  |  [2]oaic.gov.au

02 8231 4259 |  [3][email address]

 

 

***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]

hide quoted sections

Legal, Office of the Australian Information Commissioner

3 Attachments

Our reference: FOIREQ20/00245

Dear Mr Alexander,

Please find attached correspondence relating to your FOI request.

Kind regards

 

[1][IMG]   Joseph Gouvatsos | Lawyer

Legal Services

Office of the Australian Information Commissioner

GPO Box 5218 Sydney NSW 2001  |  [2]oaic.gov.au

02 8231 4259 |  [3][email address]

 

***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]

hide quoted sections

Mark Lindsey-Temple, Office of the Australian Information Commissioner

6 Attachments

Dear Mr Alexander,

 

I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (FOI Act) on 20 December 2020 -
FOIREQ20/000245.

 

You will recall Joseph Gouvatsos provided you with a decision notice in
this matter on 18 February 2021. Because a relevant third party was
consulted in the making of that decision and objected to the release of
the documents, he was required under ss 27(6) and 27A(6), to advise them
of his decision and provide them with an opportunity to seek either
internal review of his decision, or review of his decision by the
Information Commissioner.

 

As the third-party review rights have now expired, please find attached
the relevant documents.

 

 

 

Best Regards,

Mark

 

 

[1]O A I C logo   Mark Lindsey-Temple |  Senior Lawyer

Legal Services

Office of the Australian Information Commissioner

+61 2 9284 9769  |  [2][email address]

 

[3][IMG] | [4][IMG] | [5][IMG] |   [6]Subscribe to Information Matters

 

 

***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************

References

Visible links
1. https://aus01.safelinks.protection.outlo...
2. mailto:[email address]
3. http://www.facebook.com/OAICgov
4. https://www.linkedin.com/company/office-...
5. https://twitter.com/OAICgov
6. https://www.oaic.gov.au/media-and-speech...

hide quoted sections