IBM’s X-Force — the company’s ethical hacking team — ran a test in 2016 on a property management firm that oversaw 20 buildings nationwide.
The “white hat” hackers reportedly probed one of the building’s internet firewalls and broke into its management system with relative ease.
Related: Real estate’s surveillance state
“We could have actually turned the heat up, turned off the air conditioning, potentially taking down all the servers,” X-Force research strategist Chris Poulin said at the time. “If you put on your evil hat, there are lots of ways to do bad things.”
Those kinds of scenarios aren’t just hypothetical. Buildings can be prime targets for hacks and other breaches of privacy, while location devices like GPS have aided some recent egregious stalking and assault cases.
In 2017, a group of unidentified hackers held a hotel in Austria ransom during the height of the area’s ski season. The attackers froze the system that makes electronic keys for guests at the Romantik Seehotel Jägerwirt, which paid a surprisingly small ransom in Bitcoin valued at about $1,800.
And last year, a cyberattack exposed the information of 500 million guests at Marriott Hotels’ Starwood chain, which ranked as the second-largest data breach in history — behind a 2013 hack of 3 billion Yahoo accounts.
Some real estate firms are notoriously bad at protecting their data. In recent years the industry has been heavily targeted, according to the FBI’s Internet Crime Complaint Center, which recorded 11,300 cybercrimes totaling nearly $150 million in losses involving real estate frauds last year.
Andrei Barysevich, a director at the Internet threat-intelligence firm Recorded Future, said the majority of property owners he can think of fail the test when it comes to protecting their data.
“Real estate companies rarely know how to protect the data they have in their own possession,” he said. “I assume most landlords have zero experience in data security, beyond maybe the application process.”
Many security breaches in the real estate industry simply happen when someone at a company opens a phishing email, he added. “I’ve seen firsthand how inadequately trained staff in buildings are,” Barysevich said.