Pam Golding, South Africa’s largest estate agency, is facing backlash after a security breach on March 7, 2025, compromised its customer relationship management (CRM) platform. The breach has raised serious questions about how personal information was accessed and whether the agency was forthcoming with the details of the breach.
The incident came to light when a security researcher contacted MyBroadband, noting that Pam Golding had used an email address she provided only to TransUnion, a credit bureau where she had registered for identity theft and credit monitoring services. Confused about how her email had ended up in the agency’s system, the researcher detailed her surprise upon receiving communication from Pam Golding regarding her property in Cape Town.
On March 11, 2025, Pam Golding notified individuals potentially impacted by the breach. The company's statement indicated that unauthorized access was gained through an existing user account on its Alchemy system. “The information accessed by the threat actor is dependent on the type of information that we have stored on the Alchemy System for a particular client,” the agency explained, confirming that names, contact details, and even identity numbers may have been exposed.
Following the breach, several individuals came forward to MyBroadband, claiming they were unaware of how Pam Golding obtained their contact information. The agency, when questioned, suggested that all contacts who had ever interacted with them were stored in their system, including inquiries, property evaluations, and newsletter subscriptions. However, the researcher pointed out that none of this information accounted for how Pam Golding had her specific email address.
The researcher employs a unique catchall mailbox system, which allows her to receive emails sent to any username associated with a domain without setting up aliases. This means she could have separate addresses (like [email protected]) for different services without ever using them. Alarmingly, upon checking her inbox, she found a marketing email from Pam Golding dated September 5, 2024, sent to her TransUnion address. “I never contacted the real estate agency about letting out the property,” she asserted.
Both Pam Golding and TransUnion have remained vague regarding their interactions in the aftermath of the breach. Pam Golding was constrained in its comments by the Protection of Personal Information Act (POPIA), stating, “We can only respond to information regarding the client information and processing directly in terms of the provisions of POPIA.” The act is designed to protect South Africans from the mishandling of their data, yet this situation has raised further questions about the agency’s data handling practices.
MyBroadband reiterated the concerns to Pam Golding and included the security researcher in the communication, encouraging them to clarify how they obtained her email address. However, Pam Golding replied, citing POPIA compliance again, stating it could not divulge any private information: “We still cannot divulge any private information or engage with MyBroadband on a matter that is a specific client issue.”
TransUnion, meanwhile, expressed that it had no evidence suggesting its systems were involved in the breach. In a statement, the credit bureau asserted, “We have no evidence to suggest that this incident is linked to TransUnion’s systems or data.” Despite this denial, the details around how the agency obtained that specific email remain murky.
Industry experts like Dominic White have pointed out that credit bureaus in South Africa are susceptible to issues such as “doxxing-as-a-service.” This means personal information can be collected or bought by individuals or companies willing to pay for access to potentially sensitive data. White has previously warned that various services allow users to query personal information held by credit bureaus, which can lead to unsanctioned data sharing across sectors, including real estate.
One probable scenario based on the gathered evidence is that Pam Golding may have obtained the researcher’s email from querying data related to property owners. White suggested, “The legality is only phrased around what the credit bureaus can collect but not on controlling how they disseminate it.” This illustrates a fundamental problem with current protections surrounding consumer data.
Pam Golding’s information officer acknowledged the possibility that they may have used industry services to access homeowner contact information. However, they maintained that keeping records of client opt-outs is essential for compliance with POPIA. They noted, “Once a client opts out, the information would have been marked as such by the agent on the system, indicating that no further canvassing to the contact may take place.”
The revelations surrounding the breach and the handling of private information have triggered skepticism and concern among customers. The situation raises the important issue of data privacy rights and how organizations like Pam Golding manage and secure their client information in an increasingly digital age.
As consumer data-sharing practices evolve, the necessity for stricter regulations become evident—especially in sectors like real estate where personal data is leveraged for marketing and outreach. The fallout from the breach at Pam Golding not only highlights deficiencies in data handling but also points to a broader issue regarding the use of consumer data without proper transparency and accountability.
Going forward, it will be crucial for agencies and organizations alike to reflect on their data management practices, ensuring they not only comply with laws like POPIA but also prioritize consumer privacy. This incident serves as a sharp reminder of the vulnerabilities businesses face in data security and the potential ramifications of data breaches which extend far beyond immediate financial impacts.
