Can’t find what you’re looking for? Call 1300 688 648 for expert IT assistance

Cracked padlock with house icon and data streams representing the Harcourts data breach and SafePay ransomware attack in 2026

Real estate transactions involve some of the most sensitive personal data a business ever handles. Names, addresses, photo identification, bank account details, lease agreements, rental histories — all of it sits inside the systems of Australia’s property agencies. That makes real estate firms a high-value target for ransomware groups, and Harcourts, one of Australasia’s largest real estate networks, is the latest to find itself in the crosshairs.

In June 2026, the SafePay ransomware gang claimed responsibility for a cyber attack on Harcourts, listing the company on its dark web leak site and threatening to release stolen data publicly. Harcourts confirmed it was investigating the claims and engaged specialist cybersecurity experts to respond. This incident has significant implications not just for the company itself, but for every landlord, tenant, and buyer whose data has passed through a Harcourts office.


What Happened in the Harcourts Cyber Attack?

In mid-June 2026, the SafePay ransomware group listed Harcourts on its dark web leak site, claiming to have exfiltrated sensitive data from the company’s systems. The group threatened to publicly release the stolen data if their demands were not met, employing a tactic known as double extortion — where attackers steal data before encrypting systems, giving them two points of leverage over the victim.

Harcourts publicly acknowledged the claims on 18 June 2026, stating that it had become aware of an external party making claims about its systems and had immediately engaged specialist cybersecurity experts to investigate. At the early stage of the investigation, the company reported no confirmed evidence of impact to its systems or data exfiltration.

SafePay is a ransomware group first observed in October 2024. Unlike many ransomware operations that sell access to affiliates, SafePay operates on a centralised model, meaning the core group controls all aspects of the attack. Since emerging, the group has claimed over 500 victims across Australia, the United Kingdom, the United States, and New Zealand. Their methods typically involve exploiting vulnerabilities in public-facing systems, compromising credentials, and moving laterally through corporate networks before deploying ransomware.

This is not the first time Harcourts has dealt with a data incident. In November 2022, a Melbourne City franchisee suffered a breach after a third-party software provider’s account was compromised, exposing the personal information of tenants, landlords, and tradespeople — including names, addresses, phone numbers, signatures, photo identification, and banking details. The current investigation suggests the company remains a target for threat actors.


How Has Harcourts Responded?

Harcourts moved quickly to acknowledge the situation publicly and engage cybersecurity professionals. The company stated it had implemented containment measures to reduce risk and strengthen its security environment while the investigation continued.

As of the time of writing, Harcourts has not confirmed whether any data was successfully exfiltrated. The company has encouraged anyone with concerns to contact them directly through their official channels.

If you are a current or former Harcourts client — whether as a tenant, landlord, buyer, seller, or property management client — it is worth understanding what data you may have provided and taking proactive steps to protect yourself, regardless of the outcome of the investigation.


What Should Affected Individuals Do Right Now?

Whether or not you receive a formal notification from Harcourts, there are steps every person who has dealt with a real estate agency should consider taking in the current environment.

Monitor your financial accounts closely. Bank account details and credit card information are among the most valuable data points for cybercriminals. Review your statements regularly for any unauthorised transactions, no matter how small. Small test transactions are often made before larger fraud attempts.

Be alert to phishing and social engineering attempts. Following a data breach, affected individuals frequently receive phishing emails or calls from people pretending to be from the company, their bank, or government agencies. If your name, address, and contact details have been exposed, attackers can craft highly convincing messages. Never click links in unsolicited emails, and always verify the identity of callers before sharing any information.

Consider placing a credit alert or freeze. If you believe your identity documents have been exposed — including driver’s licence, passport, or Medicare card details — contact your financial institutions and consider placing a credit alert with the major credit reporting agencies (Equifax, Illion, Experian) to reduce the risk of new accounts being opened fraudulently in your name.

Check if you have received a breach notification letter. Harcourts is obligated under the Australian Privacy Act 1988 and the Notifiable Data Breaches scheme to notify affected individuals if a breach is likely to result in serious harm. If you receive a notification, read it carefully and follow the specific steps outlined.

Change passwords for any shared credentials. If you used the same email address and password across multiple services, update those credentials immediately and enable multi-factor authentication wherever it is available.


Why Does This Breach Matter Beyond Harcourts?

The Harcourts incident is part of a broader and deeply concerning pattern across Australian real estate and professional services. The data these businesses hold is extraordinarily attractive to cybercriminals precisely because it combines personal identification, financial information, and physical address data in one place.

Real estate agencies, conveyancers, property managers, and mortgage brokers all handle this same class of sensitive data — yet many operate without the cybersecurity infrastructure of a large enterprise. They may use third-party property management software, outsource support to external IT providers, and share credentials across franchise locations. Each of these factors creates additional attack surface.

A report released in July 2026 by RSM Australia found that over one third of Australian organisations had experienced a ransomware attack or extortion attempt in the past year. For organisations with more than 1,000 employees, that figure rose to 49 percent. The financial and reputational consequences of these attacks are significant. Beyond the immediate cost of the incident, affected businesses face regulatory scrutiny, potential fines under the Privacy Act, and long-term damage to client trust.

The ACSC also issued an advisory in June 2026 regarding an active campaign dubbed FortiBleed, targeting Australian organisations using Fortinet firewall or VPN services. This campaign exploits weak passwords and the absence of multi-factor authentication to gain remote access — a reminder that some of the most damaging breaches are enabled by basic security failures that could have been prevented.

Cybersecurity experts are also increasingly flagging third-party risk as a critical vulnerability. Incidents affecting the Queensland Department of Education and Victorian government schools were both linked to third-party providers, not direct breaches of the organisations themselves. In real estate, software vendors and property management platforms represent exactly this kind of third-party risk.


General Advice for Australian Businesses Handling Sensitive Client Data

Whether you operate in real estate, law, finance, healthcare, or any professional services sector, the Harcourts incident is a timely reminder that data security is not a set-and-forget exercise.

Audit what data you hold and where it lives. Many businesses collect far more personal information than they strictly need. Under the Australian Privacy Act, you are only permitted to collect data that is necessary for your functions. Conducting a data inventory helps you understand your exposure and reduce it.

Implement multi-factor authentication across all systems. A large proportion of successful ransomware attacks begin with compromised credentials. Multi-factor authentication, particularly phishing-resistant MFA such as hardware keys or app-based authentication, significantly reduces the risk of unauthorised access even when passwords have been stolen.

Apply the ACSC Essential Eight as a baseline. The Australian Cyber Security Centre’s Essential Eight framework provides a practical roadmap for reducing cyber risk across the eight most impactful mitigation strategies. For professional services firms, achieving Maturity Level 2 across all eight strategies represents a meaningful and achievable baseline.

Review and test your vendor relationships. Third-party software providers and outsourced IT support are a common entry point for attackers. Ensure all vendors meet an acceptable security standard, review their access to your systems, and ask about their own incident response capabilities.

Have an incident response plan ready. Knowing exactly what to do in the first 24 to 72 hours of a breach is critical. Under the Cyber Security Act 2024, organisations with turnover exceeding $3 million are now required to report ransomware payments within 72 hours. Having a documented plan means your team is not improvising under pressure during one of the most stressful situations a business can face.

Train your team on social engineering. The majority of ransomware attacks begin with a human interaction — a phishing email, a suspicious link, or a call from someone impersonating a vendor. Regular, scenario-based security awareness training is one of the highest-return investments a business can make in its cybersecurity posture.


How Otto IT Helps Professional Services Businesses Stay Secure

At Otto IT, we work with professional services firms across Australia — including real estate agencies, law firms, financial services businesses, and healthcare providers — to build cybersecurity environments that are proactive, not reactive.

Our managed cybersecurity services include 24/7 threat monitoring through our Security Operations Centre, Essential Eight compliance support, multi-factor authentication deployment, staff security awareness training, and incident response planning. We also help businesses navigate their obligations under the Privacy Act and the Cyber Security Act 2024.

If you are concerned about the security of your business — or if the Harcourts breach has raised questions about how your own data is protected — we are here to help. Get in touch with our team today for a no-obligation conversation about your cybersecurity posture.

The reality of Australian cybersecurity in 2026 is that no business is too small, too niche, or too trusted to be targeted. The question is not whether you will face a threat — it is whether your business is ready to respond.


Frequently Asked Questions

Was my data exposed in the Harcourts breach?

As of the time of writing, Harcourts has not confirmed whether data was exfiltrated. If you are a current or former client, monitor your accounts, be alert to phishing attempts, and watch for an official notification from Harcourts. If you receive a notification letter, follow the steps outlined carefully.

What is SafePay ransomware?

SafePay is a ransomware group that emerged in October 2024 and operates a centralised attack model. The group employs double extortion tactics, stealing data before encrypting systems to maximise pressure on victims. It has claimed more than 500 victims globally across multiple industries.

What data does a real estate agency typically hold?

Real estate agencies commonly hold names, home and postal addresses, phone numbers, email addresses, copies of photo identification (such as driver’s licences and passports), signatures, bank account details for rental payments, and in some cases, income and employment information provided for tenancy applications.

Is Harcourts required to notify affected customers?

Yes. Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act 1988 are required to notify both the Office of the Australian Information Commissioner and affected individuals when a data breach is likely to result in serious harm. If an investigation confirms significant data exposure, Harcourts would be required to notify customers.

What should I do if I have already been defrauded?

Contact your bank or financial institution immediately to report any fraudulent activity. You can also report cybercrime to the Australian Cyber Security Centre via ReportCyber at cyber.gov.au, or contact IDCARE (1800 595 160), Australia’s national identity and cyber support service.


This article is based on publicly available information as at July 2026. Otto IT does not have access to Harcourts’ internal systems and cannot confirm the scope of the incident. Individuals concerned about their personal data should contact Harcourts directly.

managed it support articles

Related Blog Articles

Discover more insights to optimise your business with the latest IT trends and best practices. Stay ahead of the curve by learning how to leverage cutting-edge technology for success. Explore expert advice and valuable guidance to navigate the evolving world of IT solutions

Learn More