Phishing attack compromises Domain user data
The real estate platform’s CEO has offered insight into the security breach that affected its administrative systems this week.
On 20 May 2021, it was reported by a number of media outlets that an email had been sent out by Domain to users notifying them that their “personal information may have been accessed by an unauthorised third party”.
“This may include your first name and surname, email address, postcode, details of your enquiry (e.g. any text in the enquiry box field and the time of your enquiry), details of the property you enquired about (e.g. address, rental amount), and phone number (if provided).”
Domain CEO Jason Pellegrino clarified that the incident was “not a cyber attack as has been reported”, but said that the group had “identified a scam that used a phishing attack to gain access to Domain’s administrative systems to engage with people who have made rental property enquiries”.
“We understand the scammers then contacted some of these people by email to suggest that they pay a ‘deposit’ to secure a rental property on a website nominated by the scammer,” the CEO continued.
“While this is a serious matter, at this point our investigation shows only a small number of people may have engaged with the scam.
“Clearly, people are becoming more aware of how to spot suspicious online behaviour and taking protective measures not to engage in such activity.”
According to the CEO, Domain has implemented several additional security controls and elevated its level of monitoring even further since becoming aware of the scam.
“We continue to implement further ways to identify and prevent phishing and have engaged external security consultants to provide further expertise in the management and prevention of online scams,” the CEO said.
“Unfortunately, since COVID, scams like these have been on the rise.
“It is disappointing for us to find out that after such a challenging past 12 months for many of us, some see this as an opportunity to take advantage of others.”
The Office of the Australian Information Commissioner has been notified.