Potentially, the malware could have been sent out to thousands of members whose email addresses were in this former staff member’s account. When opened, the attachments could have launched a spyware app on members’ computers and monitored all of their email traffic, waiting for the time when a transaction was about to close. At just the right time, the criminal could have sent buyers an email with instructions on where to wire closing funds. Fortunately, this didn’t happen in Louisiana, but it has happened in dozens of cases nationwide.
Fennell’s tech providers said the affected email account was brute-force hacked from outside of the association’s Office 365 network. Brute-force hacking, which accounts for the vast majority of data breaches, is an automated trial-and-error method used to guess passwords until it gets one right.
The criminals encrypted everything …and demanded a ransom
The Anne Arundel Association of REALTORS®’ three-week, all-out battle against cybercrime started with one hacked password. “It’s was a nightmare,” says CEO Bob Johnston, RCE, e-PRO. The criminals got in and encrypted all of the association’s files and all of its backups. They demanded a one-bitcoin ransom.
“When something like this happens, you have no idea what to do,” says Johnston. “Who do you call? How do I pay in bitcoin?”
Johnston notified his tech support provider, who shut down all the infected machines and took a picture of the hard drives and servers—which turned out later to be a vital step. But recovering any data was futile.
The only component of normal association operations that were up and running was the RAMCO membership system, because it’s cloud-based, Johnston says. Through RAMCO, the National Association of REALTORS® learned of the incident and reached out to Johnston with good news.
“NAR told me I had cyberinsurance under the umbrella errors and omissions insurance,” says Johnston. “The insurance company, Chubb, put me in touch with a forensic IT company [Kivu Consulting] and law firm [Mullen Coughlin] that specialize in data breaches.”
After an attack, cybercrime victims have a legal duty in most states to assess what information was accessed or stolen and, if necessary, notify anyone affected. Kivu Consulting assessed the breach and determined—from the pictures of the hard drives and servers—that no personal identifying information was accessed, saving the association from having to notify members. Next, the insurance company paid the 1 bitcoin—or $16,000—ransom. The price tag for the entire ordeal would have been more than $90,000, Johnston estimates. Instead, he paid only the $3,000 insurance deductible.
Once Johnston got back nearly all his data, he instituted significant changes to the association’s IT infrastructure and data security practices, including new hardware, software, and outside IT consultants.
Cyberattacks: Not if, but when
When a similar encrypting ransomware attack hit the 5,700-member Bay East Association of REALTORS®, Calif., in March 2018, the association was prepared, says CEO Tricia Thomas, RCE.
“Fortunately, we had set up a separate server for our accounting systems, another for our membership system, another for our MLS files, and a fourth for our marketing and video files, so these were unaffected by the malware that hit our two main servers,” says Thomas.
The infection started when an employee opened a link in a resume received from Craigslist. It was quickly contained by the association’s outside IT services. But, taking no chances, the IT pros replaced the hard drives on infected computers, wiped the infected servers clean, removed all files, and scanned all systems to rule out additional viruses hiding.
Because the association’s data was backed up with two different offsite backup services, Carbonite in Boston and Altaro in Europe, Thomas did not need to pay the ransom to restore her files.
“We then contacted NAR’s cybercrime insurance carrier because we wanted some peace of mind that the encrypted files weren’t hiding other viruses,” says Thomas. “We also wanted to determine that PII [personally identifying information] hadn’t been stolen by the attackers.” It hadn’t.
As the Bay East incident illustrates, no matter how well-prepared you are, it may be only a matter of time before your association faces an attack.
“Make your best effort to prepare your association now,” says Thomas. “Educate your staff about cybersecurity best practices, have at least two means of backing up your data on the most frequent schedule possible, and find out what it takes to get your data restored in a worst-case scenario.”
Thomas has also hired a new outside IT firm that installed deep-learning malware detection in conjunction with other virus protection software, moved all servers to the cloud, and regularly trains staff on the latest cybersecurity best practices.
Don’t take chances
Although association executive Erica Slosek at the 127-member Dan River Region Association of REALTORS®, Va., has not had a hacking incident, she isn’t taking any chances. “I try to be very vigilant against cyberthreats by requiring staff to use [password manager] Lastpass Teams and two-factor authentication using an app called Duo,” she says.
Slosek also has a firewall installed on all association computers. Firewall solutions for small business are available as either software or hardware (with software components). Windows and Mac operating systems have firewalls built in.
“I highly advise associations to get an outside security audit by someone who is not aiming to sell them something,” says Johnston. “Our audit found all sorts of errors our previous IT vendor had made. I’m planning an annual security audit done by an outside firm.”
Johnston says he feels more secure now that his association uses Office 365 with daily backups to Microsoft’s OneDrive and staff members have changed their passwords. “One of the things that the forensics company said is that if our admin password had been 15 characters long instead of seven, they wouldn’t have been able to break in.”
Cyberthreat awareness for members
In addition to beefing up their own cybersecurity practices and infrastructure, these associations are sharing their lessons learned with their members and offering more education and resources on how members can protect their data.
“We’re planning to be more proactive on educating members on the things that they need to be doing to prevent cyberattacks,” says Fennell. “Real estate is built on reputation, so if it gets out there that a firm had a data breach, the cost is not just in the actual damages but in the lost business due to damaged reputation.”
This summer, the Louisiana Association is planning a series of brokerage outreach events on cybersecurity and how to more proactively defend against attacks.
The Bay East Association offers members free virus scans; that can be done remotely or members can bring in their laptops. It’s the association’s most popular computer service, Thomas says. Cybercrime prevention education, however, isn’t very popular. “We hired a national speaker to do specialized training on cybersecurity specific to brokers, but the turnout was really low. I think REALTORS® are focused on the cyberthreats involved in real estate transactions, and not as focused on how cyberattacks can immobilize their company infrastructure.”
After their hacking and ransomware experience, the 860-member Southwest Indiana Association of REALTORS® shared its story with members as a cautionary tale. “We emailed a notice to our members detailing the event and reminding them of the importance of having their systems backed up,” says CEO Kim Seibert, RCE, e-PRO®. Fortunately, the association wasn’t forced to pay the ransom to retrieve its files because all data was backed up remotely, which Seibert recommends all members do. Two months after the hacking, the association hosted a digital security luncheon for members with a certified ethical hacker and defense architect who specializes in network security and business security countermeasures. The speakers told members that they are more vulnerable to an attack than they realize and advised them to avoid using public Wi-Fi networks and free email accounts, such as Gmail, yahoo, AOL, and hotmail.
Lance Evans, RCE, CEO at the 325-member Jefferson-Lewis Board of REALTORS®, N.Y., also chose to share his association’s ransomware attack story with members. “My advice to them is back up, back up, and back up again, remotely,” says Evans, who also used cyberinsurance obtained through NAR to pay the ransom for the return of his association files after even the backup became encrypted. “We certainly have passed on our lessons learned to our members, and we also alert them to the newest schemes and scams.
“I’d advise all associations to invest in good security software, have a strong firewall, and build a good relationship with a local outside tech company,” says Evans. “And remember, if you are suspicious, don’t click. No prince is going to reach out to you to give you money.”