Hundreds of Co-ops and Condos Suffer Data Breach

Douglas Elliman Property Management is the most recent company in the co-op/condo management sphere to have had its data network breached. Personal information for building residents and employees, including Social Security numbers, dates of birth, mailing addresses, driver’s license numbers, passport numbers and financial information may have been stolen. 

“We immediately took steps to protect and further secure our systems, launched an investigation and promptly notified law enforcement,” says a spokesman for the company. “We are still in the process of investigating this incident but are taking the step to notify owners and others in buildings managed by DEPM and offer complimentary credit monitoring and identity protection services to those whose information may have been involved. We are not aware of any individual who has experienced identity theft as a result of this incident.”

While the consequences of the breach are still unknown, Jay Hack, a partner at the law firm Gallet Dreyer & Berkey, speculates that they could be dire. “Their entire data set was breached,” Hack says. “Is it going to show up for sale on the dark web in Bulgaria? Nobody knows.” 

Douglas Elliman executives say the firm detected “suspicious activity” on its IT systems April 7, according to The Real Deal. After launching an investigation and contacting law enforcement, Elliman determined that an “unauthorized party” gained access to its IT network between April 5 and April 7. The Federal Bureau of Investigation is now involved.

(Like what you're reading? To get the Habitat Weekly newsletter sent to your inbox free every Thursday, click here.)

News of the breach has sent shivers through the co-op and condo community. One management company, Charles H. Greenthal, sent an email to its clients, assuring them that their personal data is safe and offering this speculation about how the Douglas Elliman breach might have occurred: “A few have suggested this breach may have been tied to a ransomware attack sent via email, or that perhaps someone may have been tricked into sharing their user name and password for a web-based third-party system used to retain confidential information.”

After laying out its own internal security measures, the Greenthal letter continues: “We strongly suggest that our clients protect against unlawful access of their own personal devices by investing in similar anti-theft technologies and programs. Having them in place at both ends will only serve to elevate the level of security protecting your information. Lastly, purchasing cyber insurance will aid in recovering lost information and the replacement of corrupted equipment.”

Hack, the attorney, agrees with this approach. “I keep telling people in the banking and real estate industries that either you adopt appropriate procedures now to protect against data breaches – or, if you don’t and you get hacked, you have to pay 10 times as much. The first thing boards need to do is a risk assessment to find out what data is collected and what’s at risk. Boards also need to have a data-destruction policy, so that when they no longer need something, they get rid of it.”

Hack says the precautions should begin even before a board hires a management company. “If you’re going to negotiate a contract with a property management company,” he advises, “try to shift responsibility for a breach to the party that was breached. Also, require that they have cyber insurance. The co-op or condo board should also buy cyber insurance.” 

The good news is that such policies are not expensive – typically around $1,000 a year. “Cyber liability is one of the most complex insurance policies for a co-op or condo board,” says Jason Schiciano, a president at the brokerage Levitt-Fuirst Insurance. “It’s critically important for co-op boards – because of all the sensitive financial data they handle – but it’s also important for condo boards.”

The policies cover the cost of rebuilding compromised data bases, hiring an attorney to defend against lawsuits brought against the corporation after a breach, notifying affected parties and paying for their credit monitoring, setting up a call center where concerned parties can get information, and helping a co-op, condo or management company rebuild its reputation after a breach.

“A management company’s cyber insurance may not cover the board,” Schiciano says. “They should both have their own policy.”