Last week we flagged that Harcourts — one of the biggest names in real estate across Australia and New Zealand — had been listed on the dark web leak site of the SafePay ransomware gang. Since then, Harcourts has responded publicly. Here's where things stand and what it means for you if you've ever rented, bought or sold through them.
A quick recap
On 18 June 2026, the SafePay ransomware group added Harcourts to its leak site, claiming to have stolen data and attaching a countdown threatening to publish it. At the time, no sample data had been released and the company hadn't commented.
What's changed
Harcourts has now publicly acknowledged the situation. In its statement, the company said it is working with its network offices and external cyber security experts, has ongoing monitoring in place, and will update staff, clients and partners if it finds accurate evidence that personal information has been affected. It also noted it would update the relevant authorities in line with its obligations.
In plain terms: Harcourts is aware of SafePay's claim, is investigating, and has not yet confirmed what — if anything — was actually taken. The threat actor's claim and the reality of what happened are still two separate things, and the investigation is what closes that gap.
Why real estate is such a juicy target
Think about what you hand over to a real estate agency. For a rental application alone: your name, date of birth, current and previous addresses, employment and income details, bank statements, identity documents, sometimes even references. Buyers and sellers add bank details and conveyancing information on top.
That's a near-complete identity kit in one place — which is exactly why ransomware groups target the sector. It's also worth remembering this isn't Harcourts' first brush with a cyber incident; a 2022 breach affecting a Melbourne franchise exposed tenant, landlord and contractor data. The lesson isn't "avoid Harcourts" — every large agency holds this data and every one is a target. The lesson is to assume this information is out there and protect yourself accordingly.
What to do if you've dealt with Harcourts
Whether or not your data was caught up in this specific claim, these steps are worth taking:
- Be alert to targeted phishing. If criminals do hold rental or property data, the most likely first use is convincing scam messages that reference real details to earn your trust. Treat any unexpected message about your tenancy, application or property with suspicion — verify through official channels.
- Never act on payment details sent by email. Payment redirection fraud is the classic follow-on from real estate breaches. If you get new bank details for rent, a deposit or settlement, confirm them by phone using a number you already have.
- Turn on multi-factor authentication on your email and banking. Your email is the master key to everything else.
- Watch your accounts and your credit. Look for logins, applications or enquiries you don't recognise. If identity documents were exposed, consider a credit ban with the credit bureaus.
- If you're worried, you're not alone. IDCARE is Australia's free national identity and cyber support service and can help you build a response plan.
The bigger picture
The honest takeaway here isn't about one agency. It's that your most sensitive information is scattered across dozens of organisations you've dealt with over the years — agencies, utilities, retailers, employers — and you'll never get it all back under your control. What you can do is reduce how much damage any single breach can cause you.
That's what we do at SelfCybr: help everyday Australians and their families see where they're exposed, monitor for it, and know exactly what to do when a name like Harcourts shows up in the headlines. Plain language, local support, no fear-mongering.
This post reflects information available as of 22 June 2026 and concerns an unverified threat-actor claim that remains under investigation. We'll update it as more is confirmed.
