Since Q3 2023, real estate companies—from MLSs to title servicers—have been beset by cyberattacks that have compromised their users’ personal data. Such attacks are typically ransomware (or hackers holding data hostage for a payout). A company-wide cyberattack can be devastating, with a price tag in the millions (whether due to lost business or legal fees) and a permanent stain on a reputation.
Tracey Hawkins, an avowed real estate safety expert cited by the National Association of REALTORS®, believes that cybersecurity is vital to real estate professionals and promotes it as much as physical safety.
Speaking to RISMedia, Hawkins noted that real estate companies and associations—from brokerages to mortgage lenders—will always be valuable targets for cyberattacks by bad actors. Real estate companies host their users’ sensitive personal and financial information, after all, which is like a piggy bank for black hat hackers.
“I interviewed a Colorado Bureau of Investigation cybersecurity expert and she said, ‘Let the real estate industry know that you are the target. You are the target. And that’s because you are where the money is.’ No matter what, real estate is always going to be at the top of the list because that’s where the money and where the data is,” Hawkins recounted.
Which cyberattacks have been the most high profile, and how can you ensure that you or your company isn’t next?
Here’s a list of recent cyberattacks in chronological order:
Rapattoni (August 2023)
California-based software company Rapattoni services MLS organizations and also works directly with local real estate professionals via the Rapattoni MLS. The August 9, 2023 cyberattack that took down Rapattoni directly and exclusively affected real estate professionals; while their services were down, so were the agents who use the Rapattoni MLS and Rapattoni-affiliated MLSs (estimated at about 5% nationwide). Operations were restored on August 23, 2023.
Mr. Cooper (October 2023)
Mortgage servicer Mr. Cooper reported unauthorized access to their company systems from October 30, 2023 to November 1, 2023. The issue was discovered on October 31 and, following an investigation with law enforcement, Mr. Cooper found that the party responsible for the breach had obtained customers’ personal information.
As many as 14 million Mr. Cooper customers could have been compromised in the breach. Like Fidelity, the company has now faced class-action lawsuits, which in January 2024 were consolidated into a single suit.
Fidelity (November 2023)
Fidelity National Financial, Inc., which offers mortgage and title services, was hit by a cyberattack on November 19, 2023 (per the company’s filing with the Securities and Exchange Commission). This resulted in a week-long outage for users relying on Fidelity for mortgage transactions. The ransomware group ALPHV/BlackCat took responsibility for the attack before functionally was restored on November 26, 2023.
1.3 million Fidelity users could have been compromised in this breach. A class-action lawsuit is underway against Fidelity by its users, alleging negligence on the company’s part in securing their data.
This underlines the lasting damage a cyberattack can have on a company—the loss of consumer trust.
First American Title (December 2023)
First American Title, one of America’s largest title firms, reported a cyberattack on December 21, 2023. The company continuously updated its users on which systems were on or offline, but only restored full functionality on January 8, 2024. The firm has confirmed that encrypted data was stolen but insists that its funds are uncompromised.
loanDepot (January 2024)
Unfortunately, the cyberattacks didn’t stop with the dawning of a new year. loanDepot, one of the largest mortgage lenders in the U.S., was hit by a data breach on January 4, 2024. On January 22, 2024, the company informed the public that the attackers “gained access” to as many as 16.6 million users’ data during the breach.
Cybersecurity protocols
One can only hope that other large mortgage institutions are taking note of these attacks and responding with increased security measures. However, even if loanDepot winds up being the last knot in this string, the threat of cyberattacks remains as long as real estate companies hold sensitive data on their computers. That means you can’t just sit back and hope you’re not the next victim.
“(Agents) need to have cybersecurity protocols in place because the buck stops with them with their client. They’re the ones looking across the table at their client saying, ‘I’m sorry, I was sloppy. I didn’t protect your data,’” argued Hawkins.
There are many tried-and-true ways to keep your information cyber-secure, from two-factor authentication to spam filters. Even so, human error can’t be removed from this calculation—resolving that is a matter of education. Train yourself and your teammates to spot phishing emails. If you get an email or phone call claiming your info has been compromised, don’t panic—assess the situation because otherwise, your actually safe information might really be compromised.
There’s a new security risk, too, one with wide-ranging applications for bad actors: artificial intelligence.
AI has been hailed as a great new tool for real estate professionals; Hawkins agrees with that assessment but argues that agents must be aware of the technology’s security threats, too. “Any and all cybersecurity conversations must include artificial intelligence,” she said.
For one, text generation can be used by cybercriminals to sharpen their grammar, which makes phishing emails harder to spot. If an email reads like it’s official, you’ll be more likely to trust it and potentially click on included links.
As Hawkins described, AI can play on trust via generated voice mimicry or deep fakes (video with someone’s face digitally inserted). If your boss calls asking for your password—and it sounds like them—your first instinct might be to hand it over. The solution is to be extra diligent. Not only scan any emails closely for tells (an unfamiliar address) but consider the context—why would someone you know be asking for your information?
If you are compromised, it’s important not to hide what’s happened—especially since there’s a requirement to inform the government. Coming forth may undermine your client relationships, but it’s better to mitigate the damage.
“As far as agents, if you find out that your client responded to an email and they paid money, they wired funds that were not legitimate to a criminal, you have a window of time, 48 to 72 hours to contact the FBI and report it, and there is a possibility that they could get that money back,” said Hawkins. “So the sooner it’s reported, the faster the FBI can keep it hopefully from going overseas. So that’s where education is in play as opposed to an agent wringing their hands and apologizing profusely.”
Since computer technology never slows its development, security protocols will require continuous re-education. If you spare the time to learn, you’ll also spare yourself stress, a lighter wallet and a reduced sphere of clients.
