Cyber Crime on Your Doorstep – Social Housing Sector Focus

Published 30 September 2021

Councils and social housing institutions have not been exempt from the rise in cyber attacks over the past few years. This is especially the case as many housing providers have aimed to make improvement in their adoption of digital services to account for the increasingly digital footprint of modern society. Unfortunately, as digital delivery of services increases, so does the increase in impact that cyber-attacks can have in this sector.

Recently, there have been an increase in the number of publicly acknowledged ransomware attacks committed against the housing sector. As we discussed in our article summarising recent developments in ransomware, ransomware is a type of malicious software designed to prevent user access to a computer system until a ransom payment is made.

Unfortunately, in the past two years, ransomware attacks have been commonly accompanied by data exfiltration and a threat to publish personal data if the ransom is not paid. The threat of data publication is often more impactful for organisations such as housing associations who will commonly hold both personal and special category personal data. The sector is already well served by a healthy claimant legal community, and a data breach arising out of a cyber-attack can expose organisations to a significant legal cost exposure from claims.

Even if organisations aren’t attacked themselves, housing providers are also exposed via their supply chain and third party partners. Many housing providers use third parties to provide services (for example, housing repairs). Should the third party be hacked, there is a risk that the housing provider will be held responsible.

A recent example of a supply chain attack is that of Plentific, a company which runs a platform that enables property managers to manage and source local repairs. Plentific was the victim of a cyber-security breach in late July 2021. Various residents of housing associations using Plentific received fraudulent phishing emails from email addresses which posed as Plentific. These phishing emails attempted to defraud the tenants by requesting money to pay for repairs.

Even if a ransomware attack does not involve a data confidentiality breach, the operational impact to services can be long-lasting. The delivery of housing services rely upon a wide range of public and private sector partners and if there is disruption in the network, that can have a knock on effect bringing gridlock to critical services: new applications to join the housing waiting list, repair reporting, updating register records, rent and service charge payments. There are examples of such services being interrupted for months as a result of cyber-attacks.

Aside from the costs of responding to the incident and meeting legal liability, rebuilding systems following an attack can be very costly. It was reported that the attack suffered by Redcar and Cleveland Council in February 2020 cost £8.7m, with the UK Government stepping in to provide £3.68m towards the system rebuild.

Overall, the severe and long-lasting consequences of a housing provider falling victim to a cyber-attack highlight the importance of cyber security in the sector. Investment is being made, for example the Ministry of Housing, Communities and Local Government is advertising a £1.3m contract for a team to support local authorities to improve their cyber health and reduce their risk from malware and ransomware earlier this month. This is certainly a welcome step but only time will tell if it is enough.