Municipalities and social housing organizations have not been spared by the resurgence of cyberattacks in recent years. This is all the more the case as many accommodation providers have sought to improve their adoption of digital services to accommodate the growing digital footprint of modern society. Unfortunately, as the provision of digital services increases, so does the impact that cyberattacks can have in this sector.
Recently, there has been an increase in the number of publicly acknowledged ransomware attacks committed against the housing industry. As we discussed in our article summarizing recent ransomware developmentsransomware is a type of malicious software designed to prevent the user from accessing a computer system until a ransom payment is made.
Unfortunately, over the past two years ransomware attacks have often been accompanied by data exfiltration and a threat of personal data being released if the ransom is not paid. The threat of data release is often more impactful for organizations such as housing associations that typically hold personal data and special category personal data. The industry is already well served by a healthy legal community of claimants, and a data breach resulting from a cyberattack can expose organizations to significant claims-related legal costs.
While organizations are not themselves attacked, housing providers are also exposed through their supply chain and third-party partners. Many housing providers use third parties to provide services (for example, housing repairs). If the third party is hacked, there is a risk that the accommodation provider could be held liable.
A recent example of a supply chain attack comes from Plentific, a company that runs a platform that allows property managers to manage and find local repairs. Plentific fell victim to a cybersecurity breach in late July 2021. Various housing association residents using Plentific received fraudulent phishing emails from email addresses posing as Plentific. These phishing emails attempted to defraud tenants by asking them for money to pay for repairs.
Even if a ransomware attack does not involve a data privacy breach, the operational impact on services can be long-lasting. The provision of housing services relies on a wide range of public and private sector partners and, in the event of network disruption, this can have a ripple effect on bottlenecks in critical services: new applications to register on housing waiting list, repair reports, updating of registers, payments of rents and service fees. There are examples of such services going down for months as a result of cyberattacks.
In addition to incident response and legal liability costs, rebuilding systems following an attack can be very costly. It was reported that the attack suffered by Redcar and Cleveland Council in February 2020 cost £8.7m, with the UK government stepping in to provide £3.68m to rebuild the system.
Overall, the serious and lasting consequences of a housing provider falling victim to a cyberattack underscores the importance of cybersecurity in the sector. Investments are underway, for example the Department of Housing, Communities and Local Government announces a £1.3m contract for a team to help local authorities improve their e-health and reduce related risks to malware and ransomware earlier this month. It’s certainly a welcome step, but only time will tell if it’s enough.