This week saw around 80 conveyancing firms across the UK paralysed by a service outage caused by a ‘cyber incident’ on their shared IT provider, CTS, bringing many property transactions to a standstill.
Distressed property buyers across the country took to social media to air their frustration, estate agents were left with their hands tied, clients were left angry and commissions did not materialise.
How were so many different firms taken down by a single cyber-attack?
As the awful news of a cyber-attack on CTS broke and we learnt of the growing impact, not just on the business and its clients, but associates and contacts across the property market, I felt initial shock and then tremendous sympathy for all the buyers, sellers, agents, mortgage brokers, lenders, lawyers and associated businesses caught up in such a terrible situation.
There can be no doubt the industry has suffered and the focus must now be on helping those affected through this - getting people moved, transactions completed, and the industry participants involved paid. Collaboration has never been more crucial and it’s important to remember that this situation is not down to individual lawyers, agents or brokers who will be doing everything they can to progress matters for their clients.
Big breaches in the US
In terms of the legal profession, the big question is “How did this occur”? The CLC declared on Monday that none of its 220 members have been directly affected and the SRA has said the impact on its members has been minimal, so where does the responsibility lie? Is it with regulators? Firms and their insurers? IT suppliers?
Disaster struck as a result of a key component of the Citrix environment used by CTS is believed to have been compromised. Hackers are said to have been exploiting the CitrixBleed vulnerability since late August, but it wasn’t until 10th October that Citrix released a patch. There are reports that the patch didn’t work initially and neither the vulnerability nor the patch appears to have been well publicised to anyone (except hackers!)
Reports from more than one credible source say there was knowledge of a threat of potential hackers after some big breaches in the US caused by the “CitrixBleed Bug” two whole weeks before the incident. This scandalous and shocking revelation will no doubt be at the centre of a future investigation which could further tarnish reputations in the industry.
Opportunity for exploitation
It cannot be denied that no matter how much security you have in place, a determined intruder is going to get in. Whether this is your house, office, car or computer network there is little that can be done for a dedicated attacker that “comes for you” in numbers and with force. You can put up resistance for so long, and may do so valiantly, but a determined attack with superior numbers, technology and resources is able to win through. In that scenario it is a bit of a ‘David and Goliath’ situation, but this wasn’t the case for CTS. It would appear that the “back door was left wide open”, creating an opportunity for exploitation.
After hearing the names of the firms that had been hit last week as the news was disseminating over the market, I could not help but catastrophise the prospect of a larger assault from a nation state in my mind, but it seems that it was a result of oversight rather than aggression.
In our firm, we have hugely robust systems and a tested business continuity plan, but having a back-up plan that you can implement is key, and we have seen how several of the firms affected have seemingly done this. Most people who wear spectacles like me, keep their old pair as back up in case they break, they are just not the same quality.
The hack is having ripple effects as far as 10 Downing Street, as it comes just weeks after the British government failed to introduce promised legislation that would have required Managed Service Providers like CTS to increase their cybersecurity protections. Yes, it can be a pain to have levels of security in place but as one of my Partners likes to say “data is the new gold”. No need for Auric Goldfinger to physically take over Fort Knox to hold the world to ransom - he could do so from his lair in Switzerland with just a laptop!
Do I think that technology is to blame? Absolutely not. This is the 21st century equivalent of a burglary or should we say kidnap as it seems a ransom may well have been requested. I don’t think those calling for paper files to become the norm again are right at all. Firms should have cyber insurance to cover this unfortunate reality that any business now has to face up to. Technology is only as good as those using it or in this case maintaining it. I just wonder what the regulators, whose silence has been deafening, are actually planning on saying and doing?
All this is, of course, little comfort to the home movers, estate agents and those in the property industry at large who have been affected. I know the solution to their problems will be everyone working together to get matters through.”