Real estate at risk: Industry vulnerable to data breaches
Cyberattacks are on the rise. Are firms doing enough to protect clients?
In 2018, the company that manages the Brooklyn condominium where cybersecurity expert Roman Sannikov lives was hacked.
The hacker locked down the property manager’s IT system and demanded the company pay a ransom to get back in. Sannikov, who leads a team of analysts scouring the dark web for intel on cybercrime and hacktivism, wasn’t personally affected by the breach; he pays his maintenance fees the old-fashioned way: by check. But as a member of the condo’s board, he had to notify residents and contend with the aftermath.
Yet Sannikov found that many of his neighbors simply shrugged off the news. “People didn’t pay attention to [it] as much as they should have,” he said.
A similar situation is playing out on a larger scale following last month’s data breach at Douglas Elliman’s property management arm. The company detected the breach in early April and notified residents and employees of the 390 properties it represents that their personal and financial information may have been exposed. Thousands of New Yorkers, many of whom reside in luxury condominiums and white-glove co-op buildings, may have had their data compromised.
But since the breach was revealed, there has been little outrage or concern expressed publicly by those who may have been affected.
Sannikov is just as surprised by that reaction as he was when his building was targeted. Attacks have gotten more dangerous since then, and residents of the well-heeled properties managed by Elliman’s firm face higher risks.
“A breach frequently isn’t the end of malicious activity,” said Sannikov. “It’s just the beginning.”
What’s at stake
In April, more than 500 million Facebook users had their dates of birth, phone numbers, employer information and locations hacked. It’s just the latest in a long list of massive data breaches, which often occur years before the affected parties are notified.
For example: Three billion Yahoo users had their personal information exposed in a 2014 breach that the company only acknowledged two years later. The extent of the incident wasn’t fully known until 2017. The same year, hackers — allegedly from the Chinese military — stole information from Equifax, one of America’s largest credit bureaus, including Social Security numbers and birthdates. A year later, hackers who were again allegedly linked to Chinese intelligence services reportedly stole data on 500 million Marriott International customers as part of a mission to gather intel on U.S. citizens.
Given the frequency of these attacks, many people may be inclined to shrug it off when they find out their information has been compromised.
“It doesn’t feel like a good position to take, but I can also see how people come to that conclusion, at least until there’s some tangible impact on them,” said security developer Troy Hunt, who created Have I Been Pwned, a platform that lets people search to see if their email addresses or phone numbers have been exposed in a breach.
But some experts say that as data breaches have become more common, cyberattackers have become more enterprising — and the consequences of having your identity stolen or accounts compromised are greater than they used to be.
When Sannikov’s condo management company was hacked, for example, the culprits locked down the system and demanded payment, but didn’t steal sensitive information. “Back then it was a little bit less dangerous,” he said.
These days, when cybercriminals get access to data, they are less likely to send a ransom note. There’s a thriving market on the dark web — which Sannikov called a “criminal LexisNexis” — where hackers assemble datasets from multiple breaches, then use that data to apply for loans, file fake tax returns or, increasingly during the pandemic, apply for unemployment benefits.
That information could also be used to launch a phishing attack to gain access to people’s emails and trick them into transferring funds to the hacker.
Case in point: Last year, Barbara Corcoran, the “Queen of New York Real Estate,” nearly lost about $400,000 in an email wire fraud scam. Posing as Corcoran’s assistant, the attacker requested a payment from her bookkeeper for a renovation at an investment property.
Though Corcoran and her team caught on to the scheme and her bank was able to stop the transfer, the knowledge the attacker had of her business, staff and investments made the scam feel credible.
In a tweet at the time, Corcoran called the scam a “lesson learned.” She was not available to comment on the incident for this story.
Real estate companies aren’t targeted more than any other business with an online presence, but many prominent firms and residential brokerages have suffered breaches over the past four years.
Greg Kelley, chief technology officer at cybersecurity firm Vestige Digital Investigations, said companies that aren’t banking institutions may have a “false sense of security,” since they don’t personally have access to money.
But many brokerages and property management companies store personal information that, if breached, could give attackers the tools and opportunity to steal from clients.
Jeremiah Fowler, who specializes in internet security and data protection at Security Discovery, called real estate companies “an extremely valuable target” given the size of funds transferred in transactions.
“Where else are you going to get hundreds of thousands of dollars?” he explained.
Experts say the way real estate firms can reduce the risk of cybersecurity attacks is simple: minimize the client and employee data they store.
“You cannot lose what you do not have,” said Hunt. “When you start to think that way, it really changes the risk profile.”
Companies could create policies to get rid of information that is no longer relevant, or reduce the precision of data. For example, instead of asking for date of birth, they could ask for an age range, he explained.
But such an overhaul can cost time and money, and some companies find it easier to maintain the same time-tested policies, particularly when data storage is so cheap. Hunt sees it as the job of regulators to push companies toward better practices.
That’s already happening in New York state: The Stop Hacks and Improve Electronic Data Security Act, signed into law in 2019, prescribes proactive steps companies must take to protect client and employee data. In April, the New York City Council passed legislation that restricts how landlords and management companies collect and store data related to keyless building entry systems.
Dennis DePaola of Orsid Realty, a property manager with 18,000 apartments throughout New York City, said the state law triggered changes at his firm.
Orsid began using a third-party platform, BoardPackager, to secure communications between prospective buyers and boards at its buildings. DePaola, the firm’s head of compliance, said the company decided to simultaneously revamp its systems to secure, remote connections for employees and increase awareness about cybersecurity and safe data practices among staff.
“We knew we would have to come in[to] compliance,” he explained. When the pandemic began, those efforts were ramped up. “Especially in the past year, we’ve really focused a lot of time and attention” on that, he added.
Hunt said planning for the worst-case scenario is key to data security and often comes with a shift, which can be unintuitive, in how companies treat that information.
“Very often the inclination is to collect as much data as possible, and organizations tend to look at the data as being an asset rather than a liability, which is what happens once it gets leaked,” he explained. “The question really should be, ‘What’s the minimum amount of data?’”