Is real estate prepared for the catastrophic effect of data breaches?
When property maintenance company Plentific was hacked, it had to work hard to save its client base and its reputation. But the pain of reputational damage is nothing compared with the devastation that data breaches have the potential to unleash on human lives.
Becoming more connected has exposed the property industry to data breaches. But the next attack could be far worse than a phishing trip. It could be fatal.
This summer, tenants of Notting Hill Genesis received an odd e-mail from their landlord’s repairs partner. From now on, owing to the continuing difficulties arising from Covid, contributions towards repairs and maintenance would need to be paid in bitcoin.
When property maintenance company Plentific was hacked, it had to work hard to save its client base and its reputation. But the pain of reputational damage is nothing compared with the devastation that data breaches have the potential to unleash on human lives.
Becoming more connected has exposed the property industry to data breaches. But the next attack could be far worse than a phishing trip. It could be fatal.
This summer, tenants of Notting Hill Genesis received an odd e-mail from their landlord’s repairs partner. From now on, owing to the continuing difficulties arising from Covid, contributions towards repairs and maintenance would need to be paid in bitcoin.
Everything about the e-mail was correct. It was from the right address, it had all the right details, the right amounts, the right dates. It was just the request for cryptocurrency that smelled a bit fishy.
Or rather, phishy.
Because the e-mail was not from the housing association. Nor was it from the firm that handled the housing association’s repairs and maintenance, Plentific. The e-mail was a scam. Plentific had been hacked.
In one sense, it was not a very sophisticated scam. Peabody, another of the housing associations hit, said that the e-mails “are likely to have ended up in spam folders due to the content being about bitcoin”.
Notting Hill Genesis agreed. “We are not aware of any residents being adversely affected by the incident,” it said. “For the majority of cases, it is likely that any such e-mail went straight into spam folders.”
But for the housing associations there is understandably some unease. If they had not partnered up with Plentific last year, perhaps they would have avoided this situation.
“The obvious targets for cyber attacks used to be banking or pharmaceuticals, because they are big, chunky companies which have huge amounts of technology and use it,” says the Real Estate Data (RED) Foundation’s Dan Hughes. “The property sector has previously been a bit isolated because we tend to be quite small companies. We don’t use a huge amount of data. We were probably not that visible or attractive to target.”
But that has changed, he says. “As we get more and more data-driven, whether that’s at the building level or company level, everything is becoming much more connected. As a sector that makes property far more appealing as a target.”
Vulnerable position
Cyber security consultant Min Kyriannis says: “The very thing that real estate is embracing has ultimately exposed the sector to attack.”
According to a report published this week by Barracuda Networks, 70% of UK businesses have been the victim of a successful network security attack in the past year. Nearly as many, 65%, fell victim to at least one ransomware attack over the same period.
In the process of writing this piece, I received two fairly sophisticated phishing e-mails. And those were just the ones that got past the firewalls.
“There are now hundreds, thousands of attacks every day,” says Kyriannis, who launched her own company, Amyna Systems, last month. “We are now being constantly probed. Some will be minuscule, some will be dramatic.”
A data breach, as occurred with Plentific, is not “surprising”, not “dramatic” and is, in fact, just the tip of the iceberg.
“More and more real estate companies are starting to see this. People may not be aware of it because they only hear about the ones that they read about in the news,” she says. Or the ones they are unfortunate to experience themselves. But these attacks are not just common. “They are constant,” says Kyriannis.
If proptech firms do suffer an attack, they will be lucky if the biggest casualty is their reputation. “The reputational damage is very difficult, if not impossible, to get back if you lose control,” says Kyriannis. “You run the risk of forever being the company that let this happen.”
Plentific is on a major expansion drive, scratching the surface of what founder Cem Savas calls “a $2tn potential market opportunity”. Created in 2013, its systems already oversee repairs and maintenance for more than 350,000 properties in the UK, the US and Germany, with clients ranging from leading housing associations to local government to Knight Frank.
The company was on a high when the story broke. It had just completed a $100m fundraise to back a global expansion programme. But within days that positive story had been overshadowed. Legal & General said it had “paused” a pilot project with the proptech firm. L&Q, one of the affected housing associations, said it had “suspended all new work with Plentific”.
Plentific has since moved fast to shore up its reputation and fix the breach. It said: “We immediately took action to remediate the issue, informed all potentially impacted parties and took a number of steps to prevent any further activity, including engaging with third-party cyber security and privacy experts.
“Our sector is not immune to this risk,” it said, but added: “This risk predates proptech as a whole.”
Leading the fundraise was A/O PropTech, led by Gregory Dewerpe. Did the news that Plentific had been hacked make him doubt the wisdom of his investment? “As investors, we don’t get agitated when we see that. I think it’s part of the day to day.”
What would happen if you had a high-rise building and a hacker compromised your elevator system?
Min Kyriannis
Wake-up call
In fact, the way Plentific handled the breach was more telling for Dewerpe than the breach itself. “How you react in times of adversity is far more important than how you react when everything goes well,” he says. “And the earlier it happens, the better. Because it’s a wake-up call.”
Dewerpe is proof that this can happen to anyone, even the most tech savvy. “I have been a victim of hacking and phishing; I have been attacked personally numerous times,” he says. He has even had money stolen from him. Kyriannis too.
Dewerpe says: “It is becoming so elaborate now that all of us are consistently playing catch-up with what’s going on.”
And it is this evolution that is the problem. In a talk two years ago, Kyriannis, then head of cybersecurity at engineering practice Jaros, Baum & Bolles, said that physical threats to buildings had made the real estate sector think very seriously about physical security. The most high-profile expression of that threat happened a little over 20 years ago. But, she added: “There hasn’t been a real, true threat or incident around cyber security in real estate. Yet.”
So, is that what we are seeing now? Far from it. This time it was Plentific and a not too subtle phishing trip. Next time it could be far worse.
Kyriannis remarks on the fact that we are having this conversation on the 20th anniversary of 9/11. “I grew up in Queens,” says Kyriannis. “I have friends who passed away in 9/11.”
That is the level of threat, she says. It is on a par with the attack on the Twin Towers that claimed 2,977 innocent lives on 11 September 2001. “I’m not trying to scare you,” she says, before adding: “But stuff like this is very scary.”
What makes it even scarier is that terrorists no longer need to be physically present. “They don’t need to collect intel, they don’t have to scout around,” she says. “They just have to hack into a system.”
For anyone thinking that it is a long leap from a housing association data breach to a terrorist outrage, Kyriannis has a warning. “There is no such thing as a small breach,” she says. Having your data stolen is not just about phishing scams and reputational damage. “You are also giving an attacker a way in. And if they don’t use it against you, they will use it against someone you are connected to, or someone they are connected to. Because everything is connected,” she says.
The connection threat
There is a steadily growing convergence of smart technology, smart systems and networks within the industry. The industry is becoming better because of it, greener, leaner, more responsive. However, with that comes increased risk. “Most people don’t understand how the internet of things works,” says Kyriannis. “If you connect something to a network, it is connected to everything.”
The threads stretch everywhere, into everything, like the mycelium of a vast growing fungus. In nature those networks have been shown to be highly beneficial to their environments. But that interconnectedness can also pose a threat. Buildings can no longer be considered separate entities, not digitally. In a myriad of ways they are becoming ever more connected. Soon all the systems will be online and can be monitored from a single point – an entire portfolio of smart systems, from your central heating to your lifts. “This is the future,” says Dewerpe. “There isn’t an alternative.”
And perhaps not just those of one company. Look at the Plentific attack. It did not expose just one housing association, it led to attacks on every one that Plentific works with.
So if we have yet to see a real attack, what would that look like? Kyriannis sets the scene: “What would happen if you had a high-rise building and a hacker compromised your elevator system?”
The scenario unfolds like a Die Hard plot. “‘I have hostages on the 15th floor, the 25th. If you don’t pay this ransom, I’m going to drop this elevator.’”
What if it isn’t just one elevator? What if it is every elevator in an entire portfolio? “That’s when you see what is really at risk here. It isn’t data, or money. It’s people’s lives.”
Most companies deal with this reactively. After they get attacked, they learn how to defend themselves. But that is not enough. We have to learn from each others’ misfortune. Even if we think we are too small, too insignificant or too low-profile to ever be a target.
“If you think ‘no one’s going to attack me’, then you will become a pawn of these attackers,” says Kyriannis. “They will piggy-back your network to compromise something bigger. And you are wide open.”
That is the real danger for the property industry. To quote one leading industry figure: “Property has not been part of this connected world for that long. In many ways it is still quite naive. It’s a bit like when your mum went online for the first time and clicked on every pop-up.”
The continued integration of proptech and the increasing connectivity will inevitably lead to more, and worse, attacks. “You know, you can and you should get spooked,” says Dewerpe. “But we just have to deal with it because, eventually, doing nothing is much worse than taking a risk and moving forward.”
You don’t stop going shopping because you hear about one store that got held up. Or, as Dewerpe says: “There is a risk when I get into my car. That’s why there’s an airbag.”
There are experts you can call in, strategies you can employ, training and, yes, more technology. For someone like Dewerpe, even Kyriannis’ elevator horror presents an opportunity. “I’m an optimist, and that’s why I’m a venture capitalist,” he says. “The first thing that comes to my mind is that it would be an amazing opportunity to back a cyber security company to better protect those buildings.”
To send feedback, e-mail piers.wehner@eg.co.uk or tweet @PiersWehner or @EGPropertyNews
Photo © Shutterstock
