Cyber Attacks on Corelogic
Recent Cyber Attacks on CoreLogic and a Large Appraisal Firm Expose a Real Business Risk to Valuation Firms and Companies.
As two recent attacks show, cyber crimes pose a real risk – legally and economically – to appraisal firms, management companies and other businesses involved in property analytics. If an operation like CoreLogic can be victimized by criminal hackers seeking property information, as it was in an attack earlier this month, any valuation firm or property analytics company is at risk. And, more seriously, the losses suffered by an appraisal firm in the separate cyber attack discussed below demonstrate how devastating the financial harm can be from an attack that spills valuation data onto the “dark web.” That appraisal firm, with 350+ commercial and residential appraisers in Australia, has been suspended for new appraisal orders by the four biggest banks in that country and by other clients as well.
CoreLogic’s “Risk Meter” Database Hacked
Last week, property analytics company CoreLogic filed a unique lawsuit in U.S. District Court, disclosing that it had been victimized by a malicious hacking of one of its many databases. Perhaps it was because of the innocuous case title (CoreLogic, Inc. v. John Does 1-10), but I haven’t yet seen any public media reporting about the case, as of today February 28. In the lawsuit, Corelogic sued 10 defendants, named John Does 1 through 10. The reason that all of the defendants are identified as “John Does” is that CoreLogic does not know the actual identity of any of the persons it is suing. All that CoreLogic knows about them is that they hacked into a CoreLogic database used for a property analytics application called “Risk Meter,” copied the contents, and stole the data by moving it to an external server. And, it knows the IP addresses from which the attacks may have been staged.
Here are the specific allegations from CoreLogic’s complaint:
CoreLogic says that the Risk Meter application provides “natural hazard risk reports and highly granular risk data, including data that could identify information associated with particular real properties.” Within the stolen data are “client user identification and password information, user information, and real property data.” It does not appear to be a critical or material problem for CoreLogic. There is no indication that any data spilled publicly or that it involved consumer records. That’s probably because CoreLogic has a capable tech and legal team – most other valuation firms and companies don’t have the same resources to deal with criminal hackers.
The immediate action that CoreLogic’s capable lawyers (O’Melveny & Myers) are pursuing is for permission from the federal court to serve subpoenas on the two web hosting companies associated with the IP addresses tied to the hackers. CoreLogic hopes that this will enable the hackers to be identified and that CoreLogic can then name them in the lawsuit to seek appropriate injunctions and damages.
Cyber Attack on Appraisal Software Platform Puts Valuation Data on the “Dark Web”
In a separate, more consequential matter, an appraisal firm LandMark White (or LMW), one of the largest in Australia with 350+ appraisers, announced earlier this month that it had been victimized by an extensive cyber theft of data relating to valuation services performed over as much as an eight-year span from 2011 to 2019. In this incident, the company says that cyber thieves accessed the valuation data in one of the company’s software platforms “via an exposed programming interface” and that the data ended up being made “publicly available on the dark web” by the thieves. Coincidentally, in one of its initial descriptions of the situation, LandMark White stated that it was alerted to the data theft by CoreLogic. Unfortunately, LandMark White has had to disclose that it failed to act on some of the other early warnings it received, including posts on Twitter about the hacked data.
LandMark White has indicated that the dataset contains:
- approximately 137,500 unique valuation records, and approximately 1,680 supporting documents.
- approximately 250,000 individual records in total but a lot of records are duplicates.
- the date of the documents range between approximately 4 January 2011 and 20 January 2019.
To say the least, this is a giant problem for the firm. For one thing, the firm has had to publish a notice to potentially affected consumers informing them: “If you are concerned, you should consider requesting that a ‘credit ban’ be put in place while you investigate further…” Australian news reports have indicated that the firm’s banking clients may have to notify over 100,000 borrowers. Another problem is that many of the firm’s largest clients – including Australia’s four biggest banks – have suspended placing any further appraisal orders with the firm. The firm has stated “we are unable to ascertain when these clients will reinstate LMW and hence when LMW will be in a position to assess with any certainty the financial impact of the incident.” And, finally, since the firm is a public company in Australia, after an immediate drop in its stock price as the attack became public, the trading in its stock has been suspended until further notice. If this occurred in the United States, consumer and shareholder class actions would surely follow next.
So, that’s the stark reality. Cyber threats are real risks to appraisal firms and to any businesses involved in valuation or property analytics. The risks concern both liability exposure and business economic losses. Any firm is certainly at risk, given that a powerhouse like CoreLogic itself can fall victim. At this point in time, however, I would estimate that fewer than 1% of appraisal firms in the U.S. carry any meaningful cyber crime coverage and that fewer than 5% of appraisal management companies carry it. This kind of coverage is neither difficult to obtain nor expensive – some experts have said that insurance carriers are not yet pricing the developing risk sufficiently (in other words, the coverage is a good value for the insured).