By using this website, you agree to our use of cookies to enhance your experience.


CTS Cyber Attack: 'What lessons need to be learned?'

This week saw around 80 conveyancing firms across the UK paralysed by a service outage caused by a ‘cyber incident’ on their shared IT provider, CTS, bringing many property transactions to a standstill.

Distressed property buyers across the country took to social media to air their frustration, estate agents were left with their hands tied, clients were left angry and commissions did not materialise.

How were so many different firms taken down by a single cyber-attack?


As the awful news of a cyber-attack on CTS broke and we learnt of the growing impact, not just on the business and its clients, but associates and contacts across the property market, I felt initial shock and then tremendous sympathy for all the buyers, sellers, agents, mortgage brokers, lenders, lawyers and associated businesses caught up in such a terrible situation. 

There can be no doubt the industry has suffered and the focus must now be on helping those affected through this - getting people moved, transactions completed, and the industry participants involved paid.  Collaboration has never been more crucial and it’s important to remember that this situation is not down to individual lawyers, agents or brokers who will be doing everything they can to progress matters for their clients.

Big breaches in the US

In terms of the legal profession, the big question is “How did this occur”? The CLC declared on Monday that none of its 220 members have been directly affected and the SRA has said the impact on its members has been minimal, so where does the responsibility lie? Is it with regulators? Firms and their insurers?  IT suppliers?

Disaster struck as a result of a key component of the Citrix environment used by CTS is believed to have been compromised. Hackers are said to have been exploiting the CitrixBleed vulnerability since late August, but it wasn’t until 10th October that Citrix released a patch. There are reports that the patch didn’t work initially and neither the vulnerability nor the patch appears to have been well publicised to anyone (except hackers!) 

Reports from more than one credible source say there was knowledge of a threat of potential hackers after some big breaches in the US caused by the  “CitrixBleed Bug” two whole weeks before the incident. This scandalous and shocking revelation will no doubt be at the centre of a future investigation which could further tarnish reputations in the industry.

Opportunity for exploitation

It cannot be denied that no matter how much security you have in place, a determined intruder is going to get in.  Whether this is your house, office, car or computer network there is little that can be done for a dedicated attacker that “comes for you” in numbers and with force.  You can put up resistance for so long, and may do so valiantly, but a determined attack with superior numbers, technology and resources is able to win through. In that scenario it is a bit of a ‘David and Goliath’ situation, but this wasn’t the case for CTS. It would appear that the “back door was left wide open”, creating an opportunity for exploitation.   

After hearing the names of the firms that had been hit last week as the news was disseminating over the market, I could not help but catastrophise the prospect of a larger assault from a nation state in my mind, but it seems that it was a result of oversight rather than aggression.

In our firm, we have hugely robust systems and a tested business continuity plan, but having a back-up plan that you can implement is key, and we have seen how several of the firms affected have seemingly done this.  Most people who wear spectacles like me, keep their old pair as back up in case they break, they are just not the same quality.

The hack is having ripple effects as far as 10 Downing Street, as it comes just weeks after the British government failed to introduce promised legislation that would have required Managed Service Providers like CTS to increase their cybersecurity protections.  Yes, it can be a pain to have levels of security in place but as one of my Partners likes to say “data is the new gold”.  No need for Auric Goldfinger to physically take over Fort Knox to hold the world to ransom - he could do so from his lair in Switzerland with just a laptop!

Do I think that technology is to blame?  Absolutely not.  This is the 21st century equivalent of a burglary or should we say kidnap as it seems a ransom may well have been requested.  I don’t think those calling for paper files to become the norm again are right at all.  Firms should have cyber insurance to cover this unfortunate reality that any business now has to face up to.  Technology is only as good as those using it or in this case maintaining it.  I just wonder what the regulators, whose silence has been deafening, are actually planning on saying and doing?

All this is, of course, little comfort to the home movers, estate agents and those in the property industry at large who have been affected.  I know the solution to their problems will be everyone working together to get matters through.”

  • icon

    The fact is professional indemnity insurers will determine next steps.

    No one is saying only paper files will do. The truth is though that a paper file can’t be hacked. Paper light as opposed to paperless might be the optimum position.

    The industrialisation of conveyancing so that third parties can extract even more money out of the process is the problem. A property transaction is a legal transaction. Too many people have argued for and achieved legal-less conveyancing and paid out referral fees to attract work yet transaction times have increased for them whereas properly run Solicitor firms can complete within 8-10 weeks of contracts being issued.

  • icon

    Sorry but the comment about referral fees and turnaround times in the context of cyberattack (you say "it is the problem") is a complete non-sequitur. Whilst all reasonable precautions must be taken by law firms to protect client data and withstand an attack, in the end there must be a really good disaster recovery plan in place that is tried out and proved before you need to rely on it, if firms are to survive an attack and protect their reputations. I have seen such plans that are shockingly complacent and would not result in the firm being able to conduct its business to any satisfactory extent if a cyber attack were to occur. Unfortunately it requires imagination and a strong constitution to really address what might happen if a firm is cut off from its files, ledgers, banking and communications and it is useless to employ half measures in planning for a disaster. By the way, I was practising law when referral fees first came in and had nothing good to say about them. I realised later that they had had a positive effect on service standards because those who sullied the reputation of the industry by delivering sub-standard service were kicked off the panels. Unfortunately what panel managers do not measure is the quality of the legal advice provided. A firm can return calls all day long and get 5 stars for service but if they have failed to deliver technical legal excellence it may not emerge for years. If only there was a way to ensure both...good communicators using AI perhaps?

  • icon

    “ The industrialisation of conveyancing so that third parties can extract even more money out of the process is the problem.”

    “ Too many people have argued for and achieved legal-less conveyancing and paid out referral fees to attract work…”


Please login to comment

MovePal MovePal MovePal