Real estate at risk: Industry vulnerable to data breaches

Cyberattacks are on the rise. Are firms doing enough to protect clients?

National Issue /
May.May 25, 2021 08:00 AM

(Illustration by The Real Deal)

In 2018, the company that manages the Brooklyn condominium where cybersecurity expert Roman Sannikov lives was hacked.

The hacker locked down the property manager’s IT system and demanded the company pay a ransom to get back in. Sannikov, who leads a team of analysts scouring the dark web for intel on cybercrime and hacktivism, wasn’t personally affected by the breach; he pays his maintenance fees the old-fashioned way: by check. But as a member of the condo’s board, he had to notify residents and contend with the aftermath.

Yet Sannikov found that many of his neighbors simply shrugged off the news. “People didn’t pay attention to [it] as much as they should have,” he said.

A similar situation is playing out on a larger scale following last month’s data breach at Douglas Elliman’s property management arm. The company detected the breach in early April and notified residents and employees of the 390 properties it represents that their personal and financial information may have been exposed. Thousands of New Yorkers, many of whom reside in luxury condominiums and white-glove co-op buildings, may have had their data compromised.

But since the breach was revealed, there has been little outrage or concern expressed publicly by those who may have been affected.

Sannikov is just as surprised by that reaction as he was when his building was targeted. Attacks have gotten more dangerous since then, and residents of the well-heeled properties managed by Elliman’s firm face higher risks.

“A breach frequently isn’t the end of malicious activity,” said Sannikov. “It’s just the beginning.”

What’s at stake

In April, more than 500 million Facebook users had their dates of birth, phone numbers, employer information and locations hacked. It’s just the latest in a long list of massive data breaches, which often occur years before the affected parties are notified.

For example: Three billion Yahoo users had their personal information exposed in a 2014 breach that the company only acknowledged two years later. The extent of the incident wasn’t fully known until 2017. The same year, hackers — allegedly from the Chinese military — stole information from Equifax, one of America’s largest credit bureaus, including Social Security numbers and birthdates. A year later, hackers who were again allegedly linked to  Chinese intelligence services reportedly stole data on 500 million Marriott International customers as part of a mission to gather intel on U.S. citizens.

Given the frequency of these attacks, many people may be inclined to shrug it off when they find out their information has been compromised.

“It doesn’t feel like a good position to take, but I can also see how people come to that conclusion, at least until there’s some tangible impact on them,” said security developer Troy Hunt, who created Have I Been Pwned, a platform that lets people search to see if their email addresses or phone numbers have been exposed in a breach.

(Click to enlarge)

But some experts say that as data breaches have become more common, cyberattackers have become more enterprising — and the consequences of having your identity stolen or accounts compromised are greater than they used to be.

When Sannikov’s condo management company was hacked, for example, the culprits locked down the system and demanded payment, but didn’t steal sensitive information. “Back then it was a little bit less dangerous,” he said.

These days, when cybercriminals get access to data, they are less likely to send a ransom note. There’s a thriving market on the dark web — which Sannikov called a “criminal LexisNexis” — where hackers assemble datasets from multiple breaches, then use that data to apply for loans, file fake tax returns or, increasingly during the pandemic, apply for unemployment benefits.

That information could also be used to launch a phishing attack to gain access to people’s emails and trick them into transferring funds to the hacker.

Case in point: Last year, Barbara Corcoran, the “Queen of New York Real Estate,” nearly lost about $400,000 in an email wire fraud scam. Posing as Corcoran’s assistant, the attacker requested a payment from her bookkeeper for a renovation at an investment property.

Though Corcoran and her team caught on to the scheme and her bank was able to stop the transfer, the knowledge the attacker had of her business, staff and investments made the scam feel credible.

In a tweet at the time, Corcoran called the scam a “lesson learned.” She was not available to comment on the incident for this story.

Real estate companies aren’t targeted more than any other business with an online presence, but many prominent firms and residential brokerages have suffered breaches over the past four years.

Greg Kelley, chief technology officer at cybersecurity firm Vestige Digital Investigations, said companies that aren’t banking institutions may have a “false sense of security,” since they don’t personally have access to money.

But many brokerages and property management companies store personal information that, if breached, could give attackers the tools and opportunity to steal from clients.

Jeremiah Fowler, who specializes in internet security and data protection at Security Discovery, called real estate companies “an extremely valuable target” given the size of funds transferred in transactions.

“Where else are you going to get hundreds of thousands of dollars?” he explained. 


Experts say the way real estate firms can reduce the risk of cybersecurity attacks is simple: minimize the client and employee data they store.

“You cannot lose what you  do not have,” said Hunt. “When you start to think that way, it really changes the risk profile.”

Companies could create policies to get rid of information that is no longer relevant, or reduce the precision of data. For example, instead of asking for date of birth, they could ask for an age range, he explained.

But such an overhaul can cost time and money, and some companies find it easier to maintain the same time-tested policies, particularly when data storage is so cheap. Hunt sees it as the job of regulators to push companies toward better practices.

That’s already happening in New York state: The Stop Hacks and Improve Electronic Data Security Act, signed into law in 2019, prescribes proactive steps companies must take to protect client and employee data. In April, the New York City Council passed legislation that restricts how landlords and management companies collect and store data related to keyless building entry systems.

Dennis DePaola of Orsid Realty, a property manager with 18,000 apartments throughout New York City, said the state law triggered changes at his firm.

Orsid began using a third-party platform, BoardPackager, to secure communications between prospective buyers and boards at its buildings. DePaola, the firm’s head of compliance, said the company decided to simultaneously revamp its systems to secure, remote connections for employees and increase awareness about cybersecurity and safe data practices among staff.

“We knew we would have to come in[to] compliance,” he explained. When the pandemic began, those efforts were ramped up. “Especially in the past year, we’ve really focused a lot of time and attention” on that, he added.

Hunt said planning for the worst-case scenario is key to data security and often comes with a shift, which can be unintuitive, in how companies treat that information.

“Very often the inclination is to collect as much data as possible, and organizations tend to look at the data as being an asset rather than a liability, which is what happens once it gets leaked,” he explained. “The question really should be, ‘What’s the minimum amount of data?’”

    Related Articles

    @properties’ co-CEO Thad Wong and Alexander Real Estate partner Eric Walstrom. (Getty, @properties, Alexander Real Estate)
    @properties picks Detroit brokerage for first franchise
    @properties picks Detroit brokerage for first franchise
    Diane Glass and Berkshire Hathaway Homeservices Chicago’s Lincoln Park office (BHHS Chicago)
    Berkshire Hathaway Homeservices names Diane Glass CEO
    Berkshire Hathaway Homeservices names Diane Glass CEO
    @properties’ Thad Wong, Mike Golden and Nest Realty’s Jonathan Kauffmann (@properties, Nest Realty; Seymour Johnson)
    @properties acquires stake in another Southern resi brokerage
    @properties acquires stake in another Southern resi brokerage
    Matt Farrell & Pam Liebman (Credit: Chicago Agent magazine and iStock)
    Corcoran expands into Chicago with franchise affiliate
    Corcoran expands into Chicago with franchise affiliate
    Peerage Capital Founder & Executive Chairman Miles S. Nadal and Jameson Sotheby’s CEO Chris Feurer
    “We are just beginning”: Peerage’s Miles Nadal talks Jameson Sotheby’s and his plans for US luxury brokerage domination
    “We are just beginning”: Peerage’s Miles Nadal talks Jameson Sotheby’s and his plans for US luxury brokerage domination
    Compass CEO Robert Reffkin and 900 N. Michigan Avenue, where the brokerage has a 5,000-square-foot office (Credit: Google Maps)
    Compass to close Gold Coast sales office
    Compass to close Gold Coast sales office
    The two-flat building in Woodlawn where Emmett Till lived (Getty)
    Surge in efforts to landmark Chicago’s historic Black homes
    Surge in efforts to landmark Chicago’s historic Black homes
    Developer John Murphy with the River North hotel. (350 North Orleans, Murphy Real Estate Services)
    John Murphy plans upscale revamp of Holiday Inn Wolf Point
    John Murphy plans upscale revamp of Holiday Inn Wolf Point

    The Deal's newsletters give you the latest scoops, fresh headlines, marketing data, and things to know within the industry.