Elliman property management breach: “Gold mine for cybercriminals” or “nothing new”?

Affected parties shrug off news of the breach while security experts have concerns

Douglas Elliman’s Property Management Clients Shrug Off Breach

What would you do if your Social Security number, address, financial data and other sensitive information were compromised?

For some of the thousands of New Yorkers who may be in that position after a data breach at Douglas Elliman Property Management, the answer so far appears to be one of understanding — even as some cybersecurity experts and industry veterans sound an alarm.

Leonard Steinberg, a Compass agent who sits on condo boards at two buildings run by Elliman’s property management arm, said the breach is a wake-up call about the importance of data security. Still, he doesn’t see it as threatening the company’s reputation.

“We’ve seen some of the world’s greatest corporations attacked. Douglas Elliman isn’t the first one or the last,” he said. “Data breaches are nothing new.”

Leonard Steinberg of Compass

Leonard Steinberg of Compass

Leni Morrison Cummins, an attorney at Cozen O’Connor who represents 75 co-op and condo boards in the city, said she has not received any panicked calls from clients in buildings where Elliman is the manager.

The breach became public Monday when Douglas Elliman Property Management notified building owners and boards that an “unauthorized party” had gained access to its IT systems and that certain files containing owners’ and employees’ personal information may have been compromised. The company said the breach may have exposed residents’ and employees’ names, dates of birth, mailing addresses, Social Security numbers, driver’s license numbers, passport numbers and financial information.

As of 2018, Elliman was the largest residential property management firm in New York City, according to an analysis by The Real Deal. The firm represents 390 properties with approximately 46,500 units in New York City and Nassau and Westchester counties.

Read more

Dennis DePaola, who leads compliance at Orsid Realty, a property manager with a portfolio of 18,000 apartments in luxury buildings throughout New York City, said the breach was “disturbing and upsetting.”

“They’re one of our peers in the industry,” he said. “It’s not like if we get hacked it’s a small debit on a credit card.”

Within Orsid’s portfolio, property managers are increasingly collecting biometric data from cameras, security systems and even pandemic-driven temperature and screening systems, in addition to other personal and financial information, according to DePaola.

Jeremiah Fowler, who specializes in internet security research and data protection at Security Discovery but is not involved in the Elliman investigation, noted that the type of data exposed in the breach is “the gold mine for cybercriminals.”

“If you were going to customize your targets, you would want wealthy people,” he said.

Notable properties that use Elliman’s management services include white-glove co-ops such as 1 Sutton Place South, 1040 Fifth Avenue and The Dakota, along with luxury condos including 111 West 57th Street, 40 East End Avenue and 111 Murray Street.

Sign Up for the undefined Newsletter

Dennis DePaola of Orsid Realty

Dennis DePaola of Orsid Realty

Though Elliman said it has found no evidence of identity theft to date, Fowler noted it’s often the motivation behind a hack and can occur years after a breach, generally after the hacker resells the data.

While Steinberg said that “of course no one likes this,” he believes what most residents want is an explanation of how the breach happened and information about how they will be protected in the future.

Elliman has launched an investigation into the incident, contacted law enforcement — a source with knowledge of the situation said the Federal Bureau of Investigation is involved — and set up a hotline to answer questions. Executives said the company would offer affected individuals a one-year membership to identity-theft prevention and credit monitoring services. Individuals who may have been affected by the breach will start hearing from the firm directly on Friday.

“If Douglas Elliman acts responsibly and proactively, which they have so far, I would suspect that this is something that will come and go,” said Steinberg.

A developer who has worked with Elliman’s property management firm and agreed to speak on the condition of anonymity pledged to continue working with the company despite the breach.

“It’s not their fault,” the developer said. “Things happen.”

But security experts wonder whether Elliman could do more to prevent such incidents.

Fowler said data encryption is a best practice for the industry. When files are encrypted, even if an unauthorized party breaches a network, the hacker would have to break through an algorithm to see the information, adding another deterrent.

Greg Kelley, who leads cybersecurity firm Vestige Digital Investigations and is not involved in the Elliman investigation, agreed. He said that encryption often provides companies with the equivalent of a “get-out-of-jail-free card.” They can then assure regulators that the data was not compromised and argue that they don’t have to notify customers or employees about the breach.

“The fact that [Elliman] notified [residents] tells me they may not have had that get-out-of-jail-free card,” said Kelley. Both he and Fowler noted that if companies encrypt their data, they will often mention that in disclosures when a breach occurs.

Copies of Elliman’s notices to condo and co-op boards advising them of the breach viewed by The Real Deal do not mention encryption. A spokesperson for the company declined to comment, citing the “ongoing and sensitive” nature of the investigation.

Under New York’s Stop Hacks and Improve Electronic Data Security Act, companies must notify affected people and businesses of a data breach except in cases where they can “reasonably” determine there will be no misuse of information, or the logistics of notifying involve more than 500,000 parties or costs over $250,000.

But what’s equally concerning for Kelley, however, is the nonchalance surrounding the breach.

“It’s kind of naive to say this happens to everyone,” he said. “It can happen to anyone… But if your data security is poor, it’s more likely to happen to you.”