Elliman property management breach: “Gold mine for cybercriminals” or “nothing new”?

Affected parties shrug off news of the breach while security experts have concerns

New York /
Apr.April 23, 2021 07:00 AM
Douglas Elliman’s Property Management Clients Shrug Off Breach

What would you do if your Social Security number, address, financial data and other sensitive information were compromised?

For some of the thousands of New Yorkers who may be in that position after a data breach at Douglas Elliman Property Management, the answer so far appears to be one of understanding — even as some cybersecurity experts and industry veterans sound an alarm.

Leonard Steinberg, a Compass agent who sits on condo boards at two buildings run by Elliman’s property management arm, said the breach is a wake-up call about the importance of data security. Still, he doesn’t see it as threatening the company’s reputation.

“We’ve seen some of the world’s greatest corporations attacked. Douglas Elliman isn’t the first one or the last,” he said. “Data breaches are nothing new.”

Leonard Steinberg of Compass

Leonard Steinberg of Compass

Leni Morrison Cummins, an attorney at Cozen O’Connor who represents 75 co-op and condo boards in the city, said she has not received any panicked calls from clients in buildings where Elliman is the manager.

The breach became public Monday when Douglas Elliman Property Management notified building owners and boards that an “unauthorized party” had gained access to its IT systems and that certain files containing owners’ and employees’ personal information may have been compromised. The company said the breach may have exposed residents’ and employees’ names, dates of birth, mailing addresses, Social Security numbers, driver’s license numbers, passport numbers and financial information.

As of 2018, Elliman was the largest residential property management firm in New York City, according to an analysis by The Real Deal. The firm represents 390 properties with approximately 46,500 units in New York City and Nassau and Westchester counties.

Dennis DePaola, who leads compliance at Orsid Realty, a property manager with a portfolio of 18,000 apartments in luxury buildings throughout New York City, said the breach was “disturbing and upsetting.”

“They’re one of our peers in the industry,” he said. “It’s not like if we get hacked it’s a small debit on a credit card.”

Within Orsid’s portfolio, property managers are increasingly collecting biometric data from cameras, security systems and even pandemic-driven temperature and screening systems, in addition to other personal and financial information, according to DePaola.

Jeremiah Fowler, who specializes in internet security research and data protection at Security Discovery but is not involved in the Elliman investigation, noted that the type of data exposed in the breach is “the gold mine for cybercriminals.”

“If you were going to customize your targets, you would want wealthy people,” he said.

Notable properties that use Elliman’s management services include white-glove co-ops such as 1 Sutton Place South, 1040 Fifth Avenue and The Dakota, along with luxury condos including 111 West 57th Street, 40 East End Avenue and 111 Murray Street.

Dennis DePaola of Orsid Realty

Dennis DePaola of Orsid Realty

Though Elliman said it has found no evidence of identity theft to date, Fowler noted it’s often the motivation behind a hack and can occur years after a breach, generally after the hacker resells the data.

While Steinberg said that “of course no one likes this,” he believes what most residents want is an explanation of how the breach happened and information about how they will be protected in the future.

Elliman has launched an investigation into the incident, contacted law enforcement — a source with knowledge of the situation said the Federal Bureau of Investigation is involved — and set up a hotline to answer questions. Executives said the company would offer affected individuals a one-year membership to identity-theft prevention and credit monitoring services. Individuals who may have been affected by the breach will start hearing from the firm directly on Friday.

“If Douglas Elliman acts responsibly and proactively, which they have so far, I would suspect that this is something that will come and go,” said Steinberg.

A developer who has worked with Elliman’s property management firm and agreed to speak on the condition of anonymity pledged to continue working with the company despite the breach.

“It’s not their fault,” the developer said. “Things happen.”

But security experts wonder whether Elliman could do more to prevent such incidents.

Fowler said data encryption is a best practice for the industry. When files are encrypted, even if an unauthorized party breaches a network, the hacker would have to break through an algorithm to see the information, adding another deterrent.

Greg Kelley, who leads cybersecurity firm Vestige Digital Investigations and is not involved in the Elliman investigation, agreed. He said that encryption often provides companies with the equivalent of a “get-out-of-jail-free card.” They can then assure regulators that the data was not compromised and argue that they don’t have to notify customers or employees about the breach.

“The fact that [Elliman] notified [residents] tells me they may not have had that get-out-of-jail-free card,” said Kelley. Both he and Fowler noted that if companies encrypt their data, they will often mention that in disclosures when a breach occurs.

Copies of Elliman’s notices to condo and co-op boards advising them of the breach viewed by The Real Deal do not mention encryption. A spokesperson for the company declined to comment, citing the “ongoing and sensitive” nature of the investigation.

Under New York’s Stop Hacks and Improve Electronic Data Security Act, companies must notify affected people and businesses of a data breach except in cases where they can “reasonably” determine there will be no misuse of information, or the logistics of notifying involve more than 500,000 parties or costs over $250,000.

But what’s equally concerning for Kelley, however, is the nonchalance surrounding the breach.

“It’s kind of naive to say this happens to everyone,” he said. “It can happen to anyone… But if your data security is poor, it’s more likely to happen to you.”





    Related Articles

    arrow_forward_ios
    John Giannone and Jac Credaroli (Credit: iStock)
    Two Elliman agents launch platform to provide renters, buyers and sellers up to $50K in unsecured loans
    Two Elliman agents launch platform to provide renters, buyers and sellers up to $50K in unsecured loans
    Jacob Sudhoff and Scott Durkin (Credit: Sudhoff Companies, Emily Assiran, iStock)
    Douglas Elliman is coming to Texas
    Douglas Elliman is coming to Texas
    Douglas Elliman chairman Howard Lorber (Credit: Getty Images and iStock)
    Elliman’s revenue rose 18%, after sales frenzy to avoid New York’s new transfer tax
    Elliman’s revenue rose 18%, after sales frenzy to avoid New York’s new transfer tax
    REBNY's James Whelan with Sen. Julia Salazar and Sen. Jabari Brisport (Getty, Brisport via Jabari for State Senate, Whelan by Anuja Shakya for The Real Deal)
    It’s back: Lawmakers propose ban on broker fees
    It’s back: Lawmakers propose ban on broker fees
    Exterior and amenities of 85 Jay Street in Dumbo. (Front & York)
    Two Brooklyn homes asking $8M go into contract
    Two Brooklyn homes asking $8M go into contract
    740 Park Avenue and 24 Leonard Street (Google Maps)
    Steven Mnuchin’s Park Avenue pad tops Manhattan contracts last week
    Steven Mnuchin’s Park Avenue pad tops Manhattan contracts last week
    (Getty)
    Where the lawsuits challenging NY’s 2019 rent law stand
    Where the lawsuits challenging NY’s 2019 rent law stand
    Steven Mnuchin and 740 Park Avenue (Getty, Google Maps)
    Steven Mnuchin’s $26M home finally finds a buyer
    Steven Mnuchin’s $26M home finally finds a buyer
    arrow_forward_ios

    The Deal's newsletters give you the latest scoops, fresh headlines, marketing data, and things to know within the industry.

    Loading...