For years, the real estate industry has been on the receiving end of regular email fraud, ransomware and other assorted malicious attacks — but why target a real estate business?
Giving out personally identifiable information such as work experience, date of birth, past rental locations, phone number and email address during an application or lease agreement has become part and parcel of renting or buying a property in Australia. As you can imagine, these pieces of data are often in a digital format or scanned copies of the physical documents which sit in numerous systems between estate agents and third parties.
The content of the data is sensitive and valuable for financial crimes, identity theft and email fraud. Large amounts of money is regularly sent, received and kept in trust accounts. The problem is exacerbated by a lack of employee training and education towards cyber crime as well as multiple devices being used and passwords shared between employees.
Personal data, unlike credit card information, is not easily reset. Birth date, names and addresses are nearly impossible to change after a breach. Technology is rapidly introduced to assist with efficiency but is often poorly understood. Typically, rental records are stored for many years and in large volumes due to industry regulations.
Too many people, including employees and third parties, have system access to tenant records.
Deloitte has written in detail about a few large vulnerabilities facing commercial real estate organisations.
“Consider the November 2013 data breach at Target Corporation. In this instance, the hackers were able to find a route through the company’s HVAC contractor’s systems to steal payment card records and other personal information of nearly 110 million customers. Along with reputational damage, the company reported a gross financial loss of $252 million.”
The incident highlights that the IT systems of real estate owners can act as an entry point for hackers to access tenant data, and that they are becoming an increasingly integral part of a tenant’s supply chain. Interestingly, cyber intrusions through real estate companies can create additional vulnerabilities beyond information theft, such as impact on productivity, life safety and protection.
Billy Rios, a security researcher at security firm Cylance Inc., shared his perspectives in a recent interview. He said: “Major financial institutions have told us that if you can vary the temperature by five or six degrees, their computers won’t be able to process transactions at the normal rate,” because heat tends to degrade computer performance.
EY’s recent report, Managing Real Estate Cyber Security, mentioned further unforeseen commercial risks.
Building management systems, which handle everything from air conditioning to door locks, traditionally worked on serial networks and were segregated from conventional IT networks. As these systems have become internet-enabled, they are now open to all possible threats that afflict conventional IT systems. The potential for harm is significant.
In real estate, the most immediate impact is likely to be felt by the tenant of the building rather than the owner, with loss of sales from collateral impact and loss of clientele. The longer-term impact is then felt by the real estate company as it is forced to compensate its tenants for loss of trading revenues and brand reparation when the true cause of the incident is discovered.
According to Deloitte, some real estate industry professionals have underestimated their cyber exposure in comparison to retail, travel, hospitality and financial services industries, insisting that their organisations aren’t prime targets. With a strong economy and very high rates of technology adoption among businesses, Australia is a prime target for cyber-crime attacks, and the real estate industry is very much a strong target.
Online trade, increased reliance on digital solutions and a lack of security culture are a few of the many variables broadening the attack surface for criminals in the real estate industry.
ABOUT THE AUTHOR
Blake Deakin is the director at Cyber Insurance Australia.
Cyber Insurance Australia works with clients to mitigate their cyber risk exposure.