We’ve been cyber-conned
28 January 2020
We want to share a story with you. It’s not the kind of story we would like to tell, but it needs to be told.
At Red Kite Community Housing we have never been shy of speaking up within the sector when we felt we needed to; we have always shared the things we have learned and we have talked about the positive things we have done.
Now we need to tell you about something that has happened to us. Something that still frustrates and angers us. But, if we are to live true to our values, we need to maintain our transparency and be open about our recent experience.
To be blunt, we were conned. A sophisticated cyber-crime which had a devastatingly simple result: we have lost money. More importantly, it is the money that our tenants work hard to entrust us with, and that is what makes it hurt even more. It is made worse by the fact that the amount is more than £932,000.
As a community organisation that has built a track record of saving our residents over £33m in the first five years, and almost another £30m on our long-term business plan, it is absolutely galling to lose a £1, let alone the sum involved in this crime.
What really angers us, though, is that these criminals have purposely targeted a charitable organisation.
Over the eight years that we have been established, we have built robust processes and systems that have successfully prevented all previous cyber-crime attempts.
“What happened to us this time was different and it has brought home to us that you can never drop your guard for a moment, no matter how safe you think your systems are”
Our sector is targeted by cyber-criminals on an almost daily basis, and we are no different. Our IT systems and teams detect and stop attempts to access information and steal data or money every day.
We have never been complacent – we have experts regularly try and break into our systems, identify vulnerability and build new defences against new forms of attack, and of course these have been regularly audited and deemed entirely fit for purpose.
I’m sure that we are no different in these respects from many other housing associations.
But what happened to us this time was different and it has brought home to us that you can never drop your guard for a moment, no matter how safe you think your systems are.
We aren’t going to credit this con as being clever, we don’t want to glorify the criminals responsible. What they managed to do was to expose a weakness using sophistication and human nature to carry out the theft of this money.
In essence, they mimicked the domain and email details of known contacts that were providing services to Red Kite.
Through this they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow up to an existing conversation.
Despite this, we still had an additional safety net in place, a two-stage process to verify changes to payments and accounts which ordinarily would have caught this attempt.
This, however, proved to be our weak point, with an error being made by the clear process not been actioned, resulting in a missed opportunity to shut the door before the money was taken. This is the part that upsets everyone involved.
This all happened at the end of August, and as you can imagine there has been much going on in the background since then.
We brought in an internationally renowned cyber-specialist organisation to help identify what happened and to find evidence that we could pass onto the police and to thoroughly test and report on our systems.
We can’t begin to describe how much time and effort it has taken to investigate, review and audit systems and keep our stakeholders, including our members, updated. We brought in an internationally renowned cyber-specialist organisation to help identify what happened and to find evidence that we could pass onto the police and to thoroughly test and report on our systems.
We are reassured that our systems were not compromised. However, that does nothing to ease the pain of the situation. As such we have continued to build additional security measures into our IT and to review completely all our processes in relation to payments in order to minimise the chance of a single point of weakness occurring in the future.
Most importantly, we have strengthened further our staff training in the risks.
One key lesson is that no matter how good you believe your systems to be, the human dimension will always be a potential weakness. By talking about this openly, we hope that colleagues in the sector reflect on their own systems and take the opportunity to ensure that this doesn’t happen to them.
ActionFraud, the dedicated police unit that responds to cyber-crime, has passed this on to the police, who is still actively investigating what happened.
They have reported that they are on the trail of the criminals and we are therefore going to respect the integrity of their investigation and the lines of enquiry on which they are currently working. We are, however, intent on making sure that we support and take all necessary action to recover the money that was taken.
As a board we have been working with the staff to put together a robust action plan for the Regulator of Social Housing (RSH), and this includes working with the regulator to make sure that they have all the information that they need.
We have also respected their embargo deadline and therefore have not released this information until they issued their own statement today.
Our teams have also been working to minimise the impact of this crime, being successful in renegotiating a financial deal that has saved us an additional £1.1m.
This doesn’t mean that we sit back and rest on our laurels, it just means that we are have been able to compensate for the loss and our residents will not suffer as a result.
Thus, we can say with certainty that, as a result of this con, we will not be changing anything we currently support or that we undertake for our community, either now or in the future.
Although we are naturally disappointed with the change in our governance rating from G1 to G2, we totally appreciate and understand the rationale which led to the decision. We will continue to work with the RSH to make sure that they are happy that the action plan being overseen by the board is completed and that this enables us to lead a pathway back to G1.
So learn from our experience – believe us, it is a lesson painfully learned!