Cybercrime threat to real estate sector intensifying
Recent cyberattacks on the real estate sector have highlighted the risks presented to an industry that holds vast amounts of highly personal and valuable data, and the need for businesses to defend themselves.
Since the first conviction for a commercial cyber attack in the United States in 1988, when the internet was in its infancy, cyber criminals have been trying to exploit information technology infrastructure and systems for their own nefarious purposes.
The recent breaches of Medibank and Optus databases have only served to underline the vulnerability of Australian businesses, regardless of how well-financed and resourced they might be.
Addressing its recently held Cyber Security Forum, REIWA CEO Cath Hart said recent cyber breaches highlight how vital it is for property sector businesses to be protected, and prepared to respond, in the event of cybercrime.
“Personal data is personal for a reason and people expect it to be safe and confidential,” Ms Hart said.
“When it’s leaked people feel the same sense of grief and fear as when their houses are broken into.”
In 2022, 832 incidents affecting small businesses in Australia were reported, 130 of which involved data disclosure.
National Australia Bank’s (NAB) chief executive Ross McEwan last week issued a brutal warning to the mortgage broking industry.
The NAB boss said the bank’s digital channels had been subjected to an astonishing 50 million cyberattacks from hackers every month.
Addressing a forum for the industry, Mr McEwan said, “It’s not just us that's going to get attacked.”
“These people are criminals; they are after data of customers, so it’s something we’re spending additional money on, and we’re also spending money on just making sure that all the basics for anti-money laundering and the likes are in place.
“People are trying to electronically get into the systems, so you can imagine, push that across all the other banks and then put it into other organisations – this is not going away.
“I call it a Team Australia moment where we all have to work together.
“A lot of it is education as well, stopping people connecting onto a site and giving their details to people.
“Our broker community really needs to look out for this.”
Given the vast amount of data that real estate companies ask for, they are a prime target for hackers.
The treasure trove they’re after includes personal information from tenants used to secure a rental property, such as passport numbers, bank statements, previous addresses, and driver's licence numbers.
Real Estate Institute of Australia (REIA) President Hayden Groves said the risks for agents not securing their systems was enormous.
“With data breaches occurring frequently, REIA encourages all Australian real estate agencies to continue reviewing their cybersecurity and privacy policies, if they are not already, for their consumers and their own peace of mind,” he said.
“This extends to and includes third-party providers.”
Highlighting just how real the threat is, Victorian real estate agency Harcourts Melbourne City fell prey this month to a cyberattack that led to clients’ personal data being leaked.
The firm confirmed that the information visible to the criminal third-party included email addresses, legal names, phone numbers and copies of signatures and bank details.
Addressing the threat
Speaking to API Magazine, Mitch Redshaw, Global Leader – Cyber Crisis Management, BDO, said the real estate industry is increasingly relying on technology to power, grow and improve the ways it does business but with that comes significant risk.
“Technology now powers how properties are managed, bought and sold across our nation and the world.
“Online listings, marketing, digitally powered business processes, and money movement depend on computers and the internet.
“As technology becomes more and more important to us, so does the data we create, store and move within it, and with data comes responsibility.
Mr Redshaw said there’s a range of low-effort and often low-cost controls to reduce cyber risk exposure.
“It’s essential to understand which cyber threats these controls will help manage,” he said.
He pointed out the two cyber threat scenarios that should be on the risk radar for small business and the real estate sector and highlighted the questions businesses need to ask to ensure they’re as protected as possible.
Held to ransom
The first threat involves a cybercriminal using known vulnerabilities to steal sensitive data and lock down systems for ransom.
Modern ransomware involves ‘double extortion’, where sensitive files are also stolen before computers are locked, with a ransom demanded to unlock computers and ‘guarantee’ deletion of stolen files. If unpaid, hackers threaten to release stolen information publicly.
Companies need to address these questions to ensure their security:
- What anti-virus solution are we using across our laptops and computers?
- Do we know our critical information (within our files, emails, and important websites), and are we regularly backing it up?
- How often are we testing those backups to ensure we can use them?
- Do we have any ‘secure’ (i.e. offline on an encrypted hard drive) backups in-case our online backups are corrupted?
- How often are we patching/updating our websites and, if applicable, network technologies?
- How often are we scanning our network for vulnerabilities, and are they currently fixed?
- Do our user accounts require Multi-Factor Authentication for remote access?
- Do our email accounts require Multi-Factor Authentication when accessed remotely or through the web?
- Do we have a plan for responding to a ransomware attack, and who would we engage for help (including legal / privacy assistance and technical assistance)?
- Have we ever tested this plan?
If the answer to any of the above questions is “we aren’t doing this”, “we don’t have this” or “I don’t know”, it’s time to take action.
Mr Redshaw said cybercriminal groups are adept at locating small business employees with access to financial information or the ability to authorise payments.
“Once found, criminal groups will target these individuals, often through phishing, to ‘socially engineer’ (deceive) them into doing something which aids the hacker – such as clicking on a link, downloading a file, or handing over information.”
He outlined the key questions real estate businesses needed to ask as a preliminary audit of their security.
- What email filtering solution do we use to reduce the phishing emails we might receive?
- Are we monitoring for any email forwarding rules (e.g., non-business email addresses or RSS feed folders) that may have been set up illegitimately?
- Do our user accounts monitor and block risky logins (e.g. from unexpected overseas locations)?
- What is our process to verify that requests from creditors to change their payment account details are legitimate?
- Who authorises changes to creditor payment account details once they’re validated as legitimate, and where are records of these decisions stored?
- Are all of our finance staff trained to recognise phishing and payment redirection fraud attacks?
- Does our email solution have verbose (e.g. greater than ‘default’) audit logging to enable investigation if we suspect an account might be compromised?
- When was the last time we tested our processes to ensure they’re safe from payment redirection fraud?
- Are we regularly monitoring to identify when our staff’s passwords are compromised in a breach?