How one rogue email created a week of chaos and disruption for a successful and respected real estate agency.
Over the past few years, cybersecurity has rapidly become a major risk concern for the real estate industry. From the threat of criminals gaining access to personally identifiable data relating to clients or employees, through to actions designed to disrupt networks or hold intellectual property hostage, cyber-attacks can expose organisations to a multitude of financial and reputational risks. Now, with mandatory data breach reporting legislation set to come into effect in Australia within the next twelve months, proactive management of cybersecurity threats and vulnerabilities is even more important.
However, as Greg Booker, Principal, LJ Hooker Kallangur/Murrumba Downs discovered, it is almost impossible to totally prevent cyber breaches. In reality, it is not a question of "if", but rather "when". And that's why it is so important to have processes in place that can swiftly respond to attacks, as well as effective insurance coverage to help offset the considerable costs that can arise from such an event.
Better safe than sorry
When Greg Booker, Principal, LJ Hooker Kallangur/Murrumba Downs, attended a Real Estate Institute Queensland (REIQ) continuing professional development (CPD) session in 2015, he was particularly interested in a cyber risk presentation by Joanna Boyd, lead Client Relationship Manager within the Aon Real Estate Team in Queensland.
"I've been in real estate for 40 odd years, and with today's reliance on technology for almost every aspect of our agency's operations, I'd been thinking a lot about what would happen if we were the victim of some sort of cyber-attack. As we've had all our insurances through Aon since 2007, I asked Joanna for advice about a cyber policy that would be relevant to our needs. She told me about a very cost effective Cyber Extension that was available as an add-on to our existing Aon Professional Indemnity (PI) cover, and although I had a niggling doubt as to whether or not we really were at risk, I took out the cover, and then went on to forget about it."
Your money or your data
In mid–2016, an email purporting to be from an energy retailer was received by several members of the LJ Hooker Kallangur/Murrumba Downs team. "It came to my email account, as well as my wife's, however we were both immediately suspicious and closed it."
Nevertheless, the subject line, wording, design and other aspects of the email made it look quite authentic, and one the agency's property managers opened it. As a result, a malicious ransomware file was executed, which infiltrated the agency's entire computer system, putting 30 computers, as well as the server, out of action.
"I was aware that another real estate office, and a local medical practice had been similarly attacked, and both had paid the ransom. However, the word on the street was that you shouldn't pay, because once you do, you're seen as a soft target and will be vulnerable to further attacks. Fortunately, after working for nearly a week, with three of those days starting early in the morning and working right through the night, my IT guy was able to get around the issues and restore all our files. I don't know how he did it, but he was in the zone, eyes glazed over and drinking lots of coffee."
How the insurance cover responded
"As soon as it happened, we contacted Aon and they immediately got onto the legal firm that deals with the insurers, who then directed us from there. Although several people were very sceptical about whether or not we would get paid, my previous experiences with Aon left me confident that our losses would be covered.
"In fact, there were no ifs, buts or maybes. We were simply told to send in the bill as well as the report from the IT guy. We kept the insurers up–to–date the whole time, and they didn't quibble about the costs."
Under the Cyber–Extension attached to Greg Booker's PI cover, this claim was classified as First Party Hacker Damage, and was settled for $7,690.00.
It's good to know you have a fall–back position
"Even if you've been in the business for a long time, it doesn't mean that this won't happen to you. I remember the days when all our client contacts were in an exercise book, but our sales people and property managers are now totally dependent on having access to their computers.
"We were off the air for a week and our 35 staff weren't able to do a thing. You end up feeling helpless and hopeless, but thanks to our IT guy and the insurance cover, I was also reasonably confident that everything was in safe hands.
"In hindsight, we probably weren't disciplined enough in following procedures for opening email attachments. But at the end of the day, when the insurers said 'just send us the bill', I really couldn't have been happier."
Other recent real estate cyber cover claims
During the past 12 months, the REIQ claims hotline, 1800 624 264, which is administered by Carter Newell Lawyers, has handled a number of sizeable claims from real estate agencies that have been the victim of cyber–attacks. In most cases, the claims relate to first party hacker damage to websites and computer systems. Two recent examples include:
Ransomware attack: Hackers disabled an agency's anti-virus software, which prevented them from recovering files from backup, after they'd been encrypted by ransomware. The majority of the claim, which was in excess of $10,000, was for costs incurred from decryption recovery, reinstalling the server, and reinstating the office computers. According to recent research , ransomware attacks quadruped in 2016 (1). One of the more popular methods being adopted by hackers is the use of Cryptolocker, a ransomware trojan that encrypts your files until a ransom is paid to obtain the decryption key.
Unauthorised Transfer of Funds: Cyber thieves gained access to an agency's bank accounts through malware, which was downloaded when a staff member either opened an email attachment or clicked on a website link. The malware recorded keystrokes, enabling the thieves to obtain details of the agency's bank account login, including the password. An unauthorised withdrawal of $500,000 was discovered by a staff member the following morning. The bank was immediately contacted and they commenced action to have the transfer terminated and the funds returned. As the money had not been collected by the scammers, the transaction was stopped and the funds were successfully recovered.
There are many different costs than can arise as the result of your business being subject to a cyber–attack. As exposures can vary from one business to the next, Aon can tailor a cyber–crime policy that reflects your risk landscape as well as your budget.
For real estate agents, cyber–crime can give rise to both First Party and Third Party claims, including:
- Restoration of data costs
- Forensic investigation costs
- Cyber–extortion costs
- Claims arising from security failures
- Damage to third party systems
- Public relation costs
- Identity theft management
- Privacy and intellectual property claims
- Fines and penalties
FIND OUT MORE
Aon works with members of the real estate industry to help them take control, and keep themselves updated, about their cyber threat landscape.
For more information about our tailored cyber–crime policies,
call 1300 734 274 or email firstname.lastname@example.org
1 Ransomware attacks set to quadruple in 2016, Beazley Breach Insights Report, October 2016. Found at: https://www.beazley.com/news/2016/beazley_projects_ransomware_attacks_to_quadruple_in_2016.html