1Form (REA Group) Data Breach Notifications resubmission
Dear Office of the Australian Information Commissioner,
My earlier FOI request with the OAIC was deemed refused, as was my request for review under s 54E of the FOI Act - https://www.righttoknow.org.au/request/1...
Instead, the OAIC suggested that a new FOI request would yield a new decision-maker, with the assurance that a decision would be provided within the statutory timeframe.
I kindly propose that any decision should also elaborate with regard to differences in redactions as compared with the initial decision (for the initial request). This will save the public from additional delays (another review expiry) before finding out whether there was any substantive change to the initial decision.
I would like to see all data breach notifications to date (including all email correspondence and associated attachments to date) lodged by or with respect to 1Form (REA-Group), including but not limited to breaches pertaining to:
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management
I kindly request that the following factors be considered in relation to the public interest:
1) the REA Group's realestate.com.au is reported to be Australia's most visited real-estate website [1] and at the time REA acquired its tenancy management platform (1Form) it was reported to have 2.3 million users [2] - a number that is likely far greater today;
2) there appears to be a clear increase in identity theft targetting the real-estate industry with the trend apparent in the OAIC notifications as per OAIC FOI disclosure log / annual reports;
3) there are few resources as rich with personal information that can be sold on the dark web as that of real-estate platforms since they are likely to hold extensive documentation about an individual in a single repository (passports, drivers licenses, residences etc.);
4) the data breach notifications sent by 1Form are in the public domain [3] and were shared with thousands of people - they were publicised by 1Form in its public archive for months;
5) the data breach notifications do not appear to meet requirements as per OAIC guidelines as they appear to contain barely any description of the incident [4];
6) most alarmingly, the 3 data breach notifications appear practically identical, extremely vague, and are a cause for great concern for the Australian public since there may have been a common vulnerability - noting that 3 incidents were reported over a time span of 9 months with what appears to be the same vague notification;
7) relying solely on the information in the 3 data breach notifications, I can only conclude that 1Form may be retrospectively confirming identity theft cases when they are reported by the authorities and notifying tenants of those agencies that it can confirm were affected (rather than all 1Form users as they may be at risk - as per legislation);
8) it appears that data breach notifications were not sent to all tenants who were on lease applications but only to 1Form account holders - effectively, only one person may have been notified whereas many people may be on a given lease application (this is contra-legislation as in such cases a public service announcement is due); and
9) in summary, there appears to be real risk that documents of millions of Australians may have been compromised and that 1Form may be releasing notifications to the tenants of the few real estate agencies whose accounts it can absolutely confirm were compromised - thereby limiting exposure and leaving tenants at risk.
Finally, I also note that OAIC was privy to the 3 data breach notifications and I feel it should have been glaringly obvious that the notifications were inadequate, vague and identical.
Treating 3 identical data breaches as isolated (separate) incidents is unacceptable if (as the identical notifications imply) this is the same vulnerability across the 1Form platform. If we are to rely on merely notifying real estate agencies in response to confirmed crimes as reported by the authorities, then this leaves future victims without notice to protect themselves (as appears to be the case with [5] as submitted on the Right to Know platform) - this defeats the purpose of the Privacy Act.
Yours sincerely,
Warrick Alexander
[1] http://www.roymorgan.com/findings/6881-d...
[2] https://www.businessinsider.com.au/young...
[3] http://www.keepandshare.com/doc5/view.ph...
[4] OAIC Guidelines - Description of the eligible data breach:
https://www.oaic.gov.au/privacy/guidance...
Dear Warrick Alexander,
Freedom of Information request
I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (the FOI Act) and received by the Office of the
Australian Information Commissioner (OAIC) on 20 December 2020.
Scope of your request
In your email you seek access to the following:
“…all data breach notifications to date (including all email
correspondence and associated attachments to date) lodged by or with
respect to 1Form (REA-Group), including but not limited to breaches
pertaining to:
- Shead Property
- Raine and Horne Green Square
- Metropole Property Management.”
Timeframes for dealing with your request
Section 15 of the FOI Act requires this office to process your request no
later than 30 days after the day we receive it. However, section 15(6) of
the FOI Act allows us a further 30 days in situations where we need to
consult with third parties about certain information, such as business
documents or documents affecting their personal privacy.
As we received your request on 20 December 2020, we must process your
request by 19 January 2021.
Kind regards
Joseph Gouvatsos | Lawyer
Legal Services
[1][IMG] Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001 | [2]oaic.gov.au
02 8231 4259 | [3][email address]
Our reference: FOIREQ20/00245
Dear Mr Alexander
Freedom of information request no. FOIREQ20/00245
I refer to your request made under the Freedom of Information Act 1982
(Cth) (FOI Act) and received by the Office of the Australian Information
Commissioner (OAIC) on 20 December 2020.
Because your request covers documents which contain information concerning
an organisation’s business or professional affairs and personal
information, the OAIC is required to consult the individuals and
organisations under ss 27 and 27A of the FOI Act before making a decision
on release of the documents.
For this reason, the period for processing your request has been extended
by 30 days to allow time to consult (see s 15(6) of the FOI Act). The
processing period for your request will now end on Thursday, 18 February
2021.
The consultation mechanisms under ss 27 and 27A apply when we believe the
person or organisation concerned may wish to contend that the requested
documents are exempt for reasons of personal privacy, or may adversely
affect their business or financial affairs. We will take into account any
comments we receive but the final decision about whether to grant you
access to the documents you requested rests with the office of the OAIC.
Kind regards
[1][IMG] Joseph Gouvatsos | Lawyer
Legal Services
Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001 | [2]oaic.gov.au
02 8231 4259 | [3][email address]
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
Our reference: FOIREQ20/00245
Dear Mr Alexander,
Please find attached correspondence relating to your FOI request.
Kind regards
[1][IMG] Joseph Gouvatsos | Lawyer
Legal Services
Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001 | [2]oaic.gov.au
02 8231 4259 | [3][email address]
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. https://aus01.safelinks.protection.outlo...
3. mailto:[email address]
Dear Mr Alexander,
I refer to your request for access to documents made under the Freedom of
Information Act 1982 (Cth) (FOI Act) on 20 December 2020 -
FOIREQ20/000245.
You will recall Joseph Gouvatsos provided you with a decision notice in
this matter on 18 February 2021. Because a relevant third party was
consulted in the making of that decision and objected to the release of
the documents, he was required under ss 27(6) and 27A(6), to advise them
of his decision and provide them with an opportunity to seek either
internal review of his decision, or review of his decision by the
Information Commissioner.
As the third-party review rights have now expired, please find attached
the relevant documents.
Best Regards,
Mark
[1]O A I C logo Mark Lindsey-Temple | Senior Lawyer
Legal Services
Office of the Australian Information Commissioner
+61 2 9284 9769 | [2][email address]
[3][IMG] | [4][IMG] | [5][IMG] | [6]Subscribe to Information Matters
References
Visible links
1. https://aus01.safelinks.protection.outlo...
2. mailto:[email address]
3. http://www.facebook.com/OAICgov
4. https://www.linkedin.com/company/office-...
5. https://twitter.com/OAICgov
6. https://www.oaic.gov.au/media-and-speech...