Data - The Big Risk?
Introduction
In today's digital age, data has become the lifeblood of organisations, enabling them to deliver personalised services and enhance customer experiences. However, with great reliance on data comes an inherent risk - the risk of data breaches and the subsequent compromise of sensitive information.
Housing associations, responsible for providing safe and secure homes to thousands of residents, are not immune to this threat. Recent incidents involving major housing associations have highlighted the vulnerability of customer data and raised critical questions about the impact, prevention measures, and risks faced by both providers and residents.
As we move towards an even deeper dependence upon data (as discussed in our blog - AI & The Housing Sector - The Future is now), the need to ensure providers are even more data-savvy is greater than ever.
Data security has emerged as a critical concern for housing associations, as the threat of data breaches looms large. The impact on residents, the ability to prevent such incidents, and the risks faced by providers demand our attention and proactive action. It is imperative for housing associations, government bodies, and residents to work together to address this pressing issue.
By prioritising data protection, investing in cybersecurity, and fostering a culture of privacy; housing associations can enhance trust, safeguard sensitive information, and ensure the well-being of their residents in an increasingly digital world.
In this blog we will delve deeper into recent incidents involving housing associations, examining the specific challenges the sector faces and exploring potential strategies to mitigate the risks associated with data breaches.
We also have another first for the Housing Sector; a video interview with Martin Dart, a security and technology leader with extensive experience across program management, cybersecurity, risk & change management.
Can We Truly Safeguard Data?
Housing associations are well aware of the importance of data protection and have a responsibility to keep customer information secure. Yet, recent incidents raise doubts about the efficacy of current prevention measures. Ransomware attacks, accidental data leaks, and cyber intrusions have demonstrated the tenacity and sophistication of cybercriminals, highlighting the need for stronger security protocols.
What Happens When Data Falls into the Wrong Hands?
When customer data is compromised, the consequences can be far-reaching and devastating. Personal information, such as names, addresses, and contact details, can end up in the hands of malicious actors, leading to potential identity theft, fraud, and even harassment. The implications for housing association residents are profound, as they entrust these organisations with their most private information, relying on them to ensure its security.
Recent examples serve as stark reminders of the profound impact data breaches can have on individuals and communities.
Essential Services and Safeguarding - A Balancing Act
Housing associations find themselves at the intersection of providing essential services and safeguarding sensitive data. As they strive to meet the needs of residents, they must grapple with the ever-present risk of data breaches. The fallout from such incidents not only tarnishes their reputation but also puts their residents at risk. The responsibility lies not only with the providers but also with the government and regulatory bodies to ensure robust oversight and enforcement.
Housing associations, as custodians of vast amounts of personal data, face a delicate balancing act. They must fulfil their responsibilities to residents while ensuring the security of their sensitive information.
Known Breaches - Lessons From the Past
Worthing Homes - Oct ‘22
Worthing Homes, a housing association based in Sussex, responded promptly to a data breach that occurred due to a fault in their telephone system.
According to reports from the Local Democracy Reporting Service, the breach resulted in the unintended sharing of personal details of tenants.
One tenant came forward and claimed to have received recordings of phone calls between Worthing Homes and other tenants. Despite requesting their own call recordings, they were mistakenly given access to recordings involving other individuals. These recordings allegedly contained sensitive information, such as ages, names, addresses, and bank details. The tenant expressed deep concern about the potential consequences, highlighting the risk of unauthorised access to bank accounts. They estimated that approximately 29 people may have been affected by the breach.
In response to these allegations, a spokesperson from Worthing Homes acknowledged the occurrence of the data breach and attributed it to a fault in their telephony system. The organization immediately reported the incident to the Information Commissioner's Office (ICO) and implemented a comprehensive plan of action to ensure that no further breaches would occur.
After conducting a thorough review of the information provided, the ICO offered valuable data protection advice and recommendations. Satisfied with Worthing Homes' response, the ICO concluded the case without pursuing any further action.
This incident raised significant concerns regarding the security of tenants' personal information and highlighted the potential risks associated with data breaches in housing associations. It underscored the importance of implementing robust systems and protocols to safeguard sensitive data and prevent unauthorised access. Such breaches not only compromised individuals' privacy but also exposed them to financial risks and identity theft. Housing associations and similar organisations were urged to prioritise data protection and continuously evaluate their systems and processes to mitigate the risk of data breaches.
Clarion Housing - July ‘22
Last year, the cyber attack on Clarion Housing Group left residents facing significant financial risks. With IT services still down more than a month after the attack, tenants were bombarded with phishing scams, further exacerbating their concerns and vulnerabilities.
As a result of the attack, Clarion's phone lines and other IT systems were compromised, rendering residents unable to request repairs, report anti-social behaviour, inquire about rent or service charges, or receive financial assistance. This disruption left tenants in a state of uncertainty and financial distress.
The financial risks associated with the cyber attack extended beyond the initial disruption. Cybercriminals took advantage of compromised personal data to launch phishing attacks, targeting individuals with fraudulent emails in an attempt to trick them into disclosing login credentials or downloading malware. A SHAC poll revealed that 84% of respondents experienced an increase in phishing activity following the cyber attack, with some tenants receiving numerous phishing messages within a short period.
These targeted phishing attempts put residents at risk of financial fraud and identity theft. Desperate for information about the situation, residents became more susceptible to falling for these scams, potentially leading to financial losses and further harm.
Although Clarion Housing Group claimed that no personal information was compromised in the attack, residents expressed doubts, and the increase in phishing activity suggested otherwise. Clarion continued to investigate the extent of the data breach and its impact on other repositories where customer data may have been stored.
Sue Morton, who resided in St Augustine's Close, Scaynes Hill and also ran an independent Clarion Tenants Support Group, highlighted the difficulties faced by Clarion residents in Mid Sussex as a result of the attack. Concerns were raised regarding rent payments and the security of personal data. Some residents experienced issues with their direct debit payments, while others encountered problems when attempting manual payments.
Bromford Housing Association - July ’22
Bromford fell victim to a cyber attack, the organization took immediate action by shutting down its systems as a precautionary measure. The chief information officer confirmed that attempts were made to access their systems, but there was no evidence of a successful breach.
To ensure the safety of their systems, all technology, including appointment systems, customer communication systems, and supplier interaction systems, was temporarily disabled. During this time, only emergency calls were accepted through the main Bromford number, while payments could still be made via the automated phone line. Customers were able to contact their neighbourhood coach through phone or text.
Bromford acknowledged the inconvenience caused by the cyber attack and expressed apologies for missed appointments and the limited service. They stressed that the return to normal operations would only happen after ensuring the safety of their systems.
Their chief executive reassured customers that there was no evidence of a data breach. Bromford had been actively working with partners to address the situation. The organization expressed gratitude to customers, suppliers, and partners for their patience and understanding during this challenging time. They remained committed to restoring normal operations in a safe and controlled manner.
ForHousing - June ’21
The ForViva Group was affected by a ransomware attack that compromised their systems and resulted in the compromise of some data. One of ForViva Group's companies, Liberty Gas, had previously carried out work for Your Housing Group, which meant that some personal data related to Your Housing Group was impacted.
The attack also affected ForHousing, another member of the ForViva group, although no tenant or staff data from ForHousing's systems was accessed. However, a small amount of data from Liberty was compromised in the ransomware attack. The incident was reported to the Information Commissioner's Office (ICO). As a precautionary measure, ForHousing's systems were temporarily taken offline. Internal investigations into the cyberattack have been completed.
Colette McKune, the CEO of the ForViva group, emphasised that the integrity of tenant and staff data was a top priority. All tenants were informed about the incident, and their data was confirmed to be safe.
However data from ForViva was discovered on the dark web, which posed a risk not only to the affected organisations but also to the individuals whose information had been compromised. Breached information was often exploited for further criminal activities, causing emotional distress, anxiety, and stress for the victims.
Keller Postman UK lawyers assisted individuals in making successful ransomware claims to seek compensation for their losses and distress. In cases where multiple individuals were affected, they initiated a group action lawsuit to address the breach collectively.
Watford Community Housing Trust - March ‘20
The data breach at Watford Community Housing Trust was a significant and distressing event for the 3,545 tenants who were affected. The breach occurred when a document containing highly sensitive details was mistakenly emailed to customers, resulting in a clear violation of GDPR regulations and a severe breach of tenant trust and safety.
The emotional impact of this data breach was immense, particularly for individuals who were already vulnerable or suffering from psychological issues. The added worry and stress caused by the breach, especially during the COVID-19 pandemic, had devastating effects on the mental well-being of the affected tenants.
Hayes Connor Solicitors, recognising the gravity of the situation, provided advice and guidance to support residents who were concerned about the Watford Community Housing Trust data breach. They received numerous contacts from affected residents.
Fletchers Data Claims, a company representing affected tenants, urged those impacted to come forward. Fletchers Data Claims stated that most victims could claim a minimum settlement ranging from £1,000 to £5,000. However, those significantly affected by the breach may have been eligible for compensation of up to £15,000. This financial compensation aimed to address the distress and potential harm caused by the unauthorised disclosure of personal information.
Testimonies from affected individuals revealed that the leaked data had put vulnerable tenants in potentially life-changing and life-threatening situations. The breach not only compromised their privacy but also raised concerns about strangers accessing their personal information. Victims were now faced with the burden of safeguarding their privacy and carrying out extensive administrative work to regain some control over their personal data.
Watford Community Housing reported the incident to the Information Commissioner's Office and the Regulator of Social Housing. The organization acknowledged the breach as a result of human error and expressed deep apologies for the breach.
To assess the impact on affected individuals, Watford Community Housing undertook various measures, including identifying any safeguarding concerns. They actively contacted customers to provide information, guidance, and support. Concerned individuals were given resources and assistance to navigate the aftermath of the breach.
A Conversation with Martin Dart
I spoke with Martin who is (as well as being an old friend) a security and technology leader with extensive experience across program management, cybersecurity, risk and change management.
With Martin's knowledge and hands-on involvement in the cyber security industry, coupled with his invaluable government experience at national and state levels in Australia and the UK, this interview uncovers the some of the most pressing security challenges faced by the housing sector and reveals some of the solutions to protect against evolving threats.
Where/Who is the Weak Link?
In the context of cybersecurity in the housing sector, the weakest link can vary depending on the specific organization and its cybersecurity practices.
People within the organization, including employees and residents, can inadvertently become the weakest link in cybersecurity. This can occur through actions like falling for phishing scams, using weak passwords, clicking on malicious links, or mishandling sensitive data. It is essential to educate and train individuals on cybersecurity best practices to mitigate this risk.
If employees and residents are not adequately aware of cybersecurity risks and preventive measures, they may unknowingly engage in risky behaviours that could compromise the security of the organization. Lack of awareness can lead to weak password practices, sharing sensitive information, or falling for social engineering attacks. Regular security awareness training and communication can help strengthen this aspect.
Using outdated software, operating systems, or unsupported hardware increases the vulnerability of housing organisations. Outdated systems may have unpatched vulnerabilities that can be exploited by attackers. Regular software updates, patch management, and retiring legacy systems are crucial to maintaining a strong cybersecurity posture.
Housing organisations often rely on third-party vendors, suppliers, or service providers for various operations. If these third parties have weak cybersecurity measures or suffer a data breach, it can have a direct impact on the housing organization. Conducting due diligence and implementing robust contractual agreements with third parties can help mitigate this risk.
Weak access controls, such as weak passwords, lack of multi-factor authentication, or excessive user privileges, can provide attackers with unauthorised access to systems and sensitive data. Implementing strong access controls, least privilege principles, and regularly reviewing user permissions can help address this vulnerability.
Without a well-defined incident response plan, housing organisations may struggle to effectively respond to and mitigate cyber incidents. This can lead to prolonged downtime, data loss, or an inadequate response to contain and remediate the breach. Developing an incident response plan and conducting regular drills can help strengthen the organisation's ability to respond to cybersecurity incidents.
GDPR - Still required post Brexit?
Even after Brexit, the importance of GDPR (General Data Protection Regulation) and its adherence remains in effect under UK law. The Data Protection Act (DPA) 2018, along with the UK GDPR, still apply to organisations processing domestic personal data.
The Data Protection Act 2018 serves as the UK's implementation of the GDPR, ensuring that personal information is handled appropriately by organisations, businesses, and the government.
The Act enforces strict rules known as 'data protection principles,' which dictate that personal data should be used fairly, lawfully, and transparently. Furthermore, the data should be used only for specified and explicit purposes, in a manner that is adequate, relevant, and limited to what is necessary.
To maintain compliance, organisations must ensure the accuracy and currency of personal data, storing it no longer than necessary. They are also responsible for handling the data securely, protecting it against unauthorised access, processing, loss, destruction, or damage. Moreover, specific categories of sensitive information, including race, ethnic background, political opinions, religious beliefs, and health data, enjoy heightened legal protection.
The Data Protection Act also addresses personal data relating to criminal convictions and offences, offering separate safeguards to ensure its appropriate handling.
Therefore, housing providers (and other organisations) must recognise that GDPR and its UK implementation, the DPA 2018, are still integral to data protection and privacy practices. Compliance with these regulations is essential for safeguarding personal information and maintaining trust with customers, both domestically and across the EU.
The Housing Sector Top Five Tips
Whilst I claim to be no expert, but having read and spoken to experts within the field here are five tips for housing providers to help avoid cyber attacks and data breaches.
1 - Implement Strong Security Measures: Ensure that robust security measures are in place across all systems and networks. This includes using up-to-date antivirus and anti-malware software, firewalls, and intrusion detection systems. Regularly apply security patches and updates to software and operating systems to address any known vulnerabilities.
2 - Educate and Train Staff: Provide comprehensive cybersecurity training to all employees, contractors, and stakeholders involved in housing operations. Focus on topics such as recognising phishing attempts, creating strong passwords, avoiding suspicious links or attachments, and reporting security incidents promptly. Regularly reinforce security awareness to keep employees vigilant.
3 - Enforce Strong Password Policies: Passwords are often the first line of defence against unauthorised access. Implement strong password policies that require complex, unique passwords and regular password changes. Encourage the use of password managers to help employees manage multiple strong passwords securely. Additionally, consider implementing multi-factor authentication (MFA) for added security.
4 - Regularly Back Up Data: Implement a robust data backup strategy to ensure critical housing data is regularly and securely backed up. Backups should be stored in separate locations and regularly tested to ensure data integrity and availability. In the event of a cyber attack or data loss, having up-to-date backups can help restore operations and minimise the impact.
5 - Conduct Regular Security Assessments: Perform regular cybersecurity assessments, including vulnerability scanning and penetration testing, to identify potential weaknesses and vulnerabilities in systems and networks. These assessments help identify areas that require immediate attention and allow for proactive mitigation of potential risks before they are exploited.
Cybersecurity is an ongoing process, and staying vigilant is key. Continuously monitor systems, keep up with the latest security practices, and stay informed about emerging threats in the housing sector. By implementing these tips and adopting a proactive approach to cybersecurity, housing providers can significantly reduce the risk of cyber attacks and protect sensitive data.
Cyber Essentials
Cyber Essentials is a Government-backed scheme that helps housing providers protect their organisations against common cyber attacks. By achieving certification, housing providers can demonstrate their commitment to cybersecurity and safeguard against basic cyber threats. The scheme offers two levels of certification: Cyber Essentials and Cyber Essentials Plus. The former provides protection against common cyber attacks, while the latter involves a hands-on technical verification process.
Getting certified can reassure customers, attract new business, and provide a clear understanding of the organisation's cybersecurity level. It may also be a requirement for bidding on certain government contracts.
The IASME consortium is available to assist housing providers in obtaining certification.
Useful Support for Housing Providers:
Cyber Essentials is a Government-backed scheme for protecting organisations against cyber attacks.
Most cyber attacks are basic in nature, and Cyber Essentials helps prevent them.
There are two certification levels: Cyber Essentials and Cyber Essentials Plus.
Certification provides protection against common cyber attacks and demonstrates commitment to cybersecurity.
Cyber Essentials can reassure customers and attract new business.
It helps housing providers understand their cybersecurity level and meet government contract requirements.
The IASME consortium can assist with obtaining certification.
The Cyber Essentials readiness toolkit helps create an action plan to meet the requirements.
What Should Housing Providers Do After a Hack/Breach?
When housing providers become aware of a hack or breach, it is crucial for them to respond promptly and effectively to mitigate the damage and ensure the security of their systems and residents' data.
Housing providers should have an incident response plan in place that outlines the steps to be followed in case of a hack or breach. This plan should include designated roles and responsibilities, communication protocols, and actions to contain and resolve the incident. Activate the plan immediately to initiate the response process.
Identify the compromised systems or areas of the network and isolate them from the rest of the infrastructure to prevent further unauthorised access. This may involve temporarily shutting down affected systems or disconnecting them from the network. Implement additional security measures to protect the remaining systems.
Bring in IT and cybersecurity experts to assess the situation, investigate the breach, and provide guidance on remediation. These professionals can help identify vulnerabilities, close security gaps, and assist in restoring systems while preserving any necessary evidence for potential investigations.
Promptly inform affected residents and stakeholders about the breach, providing transparent and accurate information about the incident and its potential impact. Communicate through multiple channels, such as email, website notifications, or direct mail, and offer guidance on steps residents can take to protect their personal information.
Report the breach to the appropriate authorities, such as data protection agencies or law enforcement agencies, in compliance with applicable regulations. Cooperate fully with their investigations and provide any required information or documentation.
Initiate a comprehensive investigation into the breach to determine the root cause, the extent of the compromise, and any data that may have been accessed or exfiltrated. Identify any gaps in security controls and take corrective actions to prevent future incidents.
Based on the findings of the investigation, implement necessary remediation measures to strengthen security controls and prevent similar breaches in the future. This may include patching vulnerabilities, enhancing network security, improving employee training on cybersecurity awareness, or revising policies and procedures.
Provide support and resources to affected individuals, such as credit monitoring services or identity theft protection, to help mitigate the potential impact of the breach. Establish channels for residents to seek assistance, ask questions, and report any suspicious activities related to the incident.
Conduct a post-incident review to identify lessons learned and areas for improvement in cybersecurity practices and incident response. Update policies, procedures, and training programs based on the findings to enhance overall security posture.
It is essential to keep residents and stakeholders informed about the progress of the investigation, remediation efforts, and security enhancements. Provide regular updates on the measures taken to address the breach and reassure them of the housing provider's commitment to data security.
What Should Residents do when informed of a Breach?
If residents' data is shared due to a breach, whether it's caused by a hacker or a failure by the provider, there are several steps they can take to mitigate the impact and protect their information.
Keep a close eye on bank accounts, credit card statements, and any other financial accounts for any unauthorised or suspicious activity. If any fraudulent transactions are detected, report them to the respective financial institution or credit card company immediately.
If personal login credentials were compromised, change passwords for all relevant online accounts, especially those associated with the housing provider. Consider using strong, unique passwords and enabling two-factor authentication for an extra layer of security.
After a data breach, scammers may attempt to exploit the situation by sending phishing emails or making fraudulent phone calls. Be cautious of unsolicited communications and avoid clicking on suspicious links or providing personal information unless you can verify the authenticity of the source.
Regularly monitor credit reports from major credit reporting agencies to detect any unauthorised accounts or suspicious activities. This can help identify potential identity theft early on and enable residents to take appropriate steps to protect their credit.
Depending on the severity of the breach and the data exposed, residents may consider enrolling in credit monitoring or identity theft protection services. These services can provide ongoing monitoring of credit reports and alerts for potential fraudulent activity.
If the breach involved sensitive personal information, residents should consider reporting the incident to their local data protection authorities or regulatory bodies. This can help ensure that appropriate action is taken by the authorities and can contribute to the overall investigation and prevention of future breaches.
It's important for residents to stay vigilant and proactive in protecting their personal information. By taking these steps, they can minimise the potential impact of a data breach and mitigate the risk of identity theft or financial fraud.
In conclusion
The increasing reliance on data in the housing sector has exposed housing associations to significant risks associated with data breaches. Recent incidents have highlighted the potential consequences of compromised data, including identity theft, fraud, and financial harm to residents. Housing associations must prioritise data protection and take proactive measures to enhance cybersecurity.
The incidents discussed in this report underscore the importance of implementing robust systems and protocols to safeguard sensitive data and prevent unauthorised access. The breaches at Worthing Homes, Clarion Housing, Bromford Housing Association, ForHousing, and Watford Community Housing Trust serve as stark reminders of the profound impact data breaches can have on individuals and communities. They have highlighted the need for housing associations to continuously evaluate and improve their security practices.
To address the challenges posed by data breaches, housing associations should prioritise data security by investing in cybersecurity measures, fostering a culture of privacy, and providing comprehensive cybersecurity training to employees and stakeholders. Implementing strong security measures, enforcing strong password policies, regularly backing up data, and conducting regular security assessments are key steps in mitigating the risks associated with data breaches.
In the event of a hack or breach, housing providers should have an incident response plan in place to ensure a prompt and effective response. This includes containing and resolving the incident, communicating with affected parties, and implementing measures to prevent future breaches.
By taking these proactive steps and working collaboratively with government bodies and residents, housing associations can enhance trust, safeguard sensitive information, and ensure the well-being of their residents in an increasingly digital world. Cybersecurity should be an ongoing priority, and housing providers must remain vigilant and informed about emerging threats to stay ahead of cyber attacks.
External Links
https://www.theargus.co.uk/news/23036197.worthing-homes-housing-association-data-breach/
https://planetradio.co.uk/greatest-hits/sussex/news/sussex-housing-association-admits-data-breach/
https://www.bigissue.com/news/housing/clarion-housing-association-cyber-attack/
https://www.bbc.co.uk/news/uk-england-norfolk-62755878
https://cybersecurityawareness.co.uk/blog/48-clarion-housing-cyber-attack
https://www.gloucestershirelive.co.uk/news/property/bromford-housing-association-shuts-down-7396811
https://www.yourhousinggroup.co.uk/yhg-news/data-security-incident/
https://www.groupactionlawyers.co.uk/blog/forhousing-and-liberty-cyberattack-causes-data-leak
https://www.kellerpostman-databreach.co.uk/data-stolen-from-social-housing-group/
https://www.dataleaklawyers.co.uk/blog/forhousing-and-liberty-cyberattack
https://www.hayesconnor.co.uk/group-actions/watford-community-housing-trust-data-breach/#emotional-impact
https://www.watfordobserver.co.uk/news/21869727.watford-community-housing-denies-scam-calls-due-data-breach/
https://www.wcht.org.uk/data-incident/
https://www.groupactionlawyers.co.uk/blog/watford-community-housing-data-breach-one-year-on
https://www.swcomms.co.uk/blog/article/the-consequences-of-a-cyber-attack-on-a-housing-association