Share this article on:
Victorian real estate agency PH Property Bendigo said that it has suffered from a data breach, potentially affecting roughly 200 customers.
The agency said that four months of data was stolen when threat actors hacked a staff member’s email address and got past security protocols on 15 March.
PH Property had a number of security protocols in place, such as two-factor authentication and randomised passwords, as well as security software and a firewall.
The company said that the stolen data included bank details, names, contact info and ID documentation and that bad actors had begun contacting clients from a staff email address with the first name Kayla.
“You may have already received a fake email from her account requesting to open an attachment — please do not open these attachments,” the company warned in an email it issued to clients yesterday (29 March).
“Our current information shows that they have only emailed clients so far, however, there is a possibility that they have made a local copy of Kayla’s entire email account and will have access to any email that has been sent to or from her.”
Responding to the breach, the agency reported the breach to the Office of the Australian Information Commissioner (OAIC) and has hired security workers to keep its network secure.
PH Property has said that customers and users of its services should review their bank accounts and change passwords to protect themselves.
Managing director of a Victorian security agency Brenton Johnson praised the security measures that PH Property had in place and said he was shocked that threat actors were able to get through.
However, he did say that businesses should avoid wiping affected devices, as they contain necessary information for insurance and investigation purposes.
“It’s generally not recommended to wipe the computer generally. The best option is to remove the hard drive and put in a new one,” said Johnson
“Reason being this erases all evidence and may impact any insurance claim they have.”
As Johnson pointed out, attacks on SMEs are getting increasingly common. While the payout for a threat actor may be lower than targeting large multinational institutions, smaller businesses often have weaker security measures and are more vulnerable.
The National Cybersecurity Alliance found in a 2019 report that 43 per cent of all cyber attacks were on businesses with under 250 employees.
In addition, the FBI’s Internet Crime Complaint Center had 11,000 reports of cyber attacks from SMEs, with losses totalling US$145 million (over $217 million).