Your HOA’s Been Hacked. Now What?

I thought the large-scale community with 3,000 homes and 20 subassociations that I manage was too small to need any major computer security other than the typical antivirus and spam filters. I was wrong.

When we returned to the office after a fabulous Fourth of July weekend, nothing seemed out of the ordinary, except for an odd email in my inbox. It was addressed to all my staff and looked like a joke. It stated that the Karaturk (an Iberian black widow spider) team was in our system, and they wanted us to download a browser and contact them to see what they were ransoming our files for. If we didn’t pay, they were going to sell the information on the dark web. If no one purchased the files, they would be leaked.

I called my local IT guy, and we started changing passwords to lock them out. The second the first password changed, all of our files disappeared.

Initially, I wasn’t too worried. I had cyber insurance. I expected that once I reported the cybercrime to an insurer, it would assign a case manager and take the issue off my plate. Apparently, cyber insurance is not all-encompassing; it only covers bad wire transfers or stolen client lists, and it is not useful for big-ticket items like ransomware. Regardless, I needed to get my files back and operations moving forward, but I was not going to pay a ransom. I knew that we had backups, and I have seen too many movies to think paying a ransom was a good idea.

I got quotes and hired a cybersecurity team to remove the malware and do a forensic review. I wanted to know how we got the malware, how it spread, what it downloaded, and everything else. The team discovered the malware had come in through an email link, and the hackers had downloaded stryke software, created their own username (tech@ourdomain), hid in our system, and had jumped from computer to computer, into the servers, and through our internal network undetected for two weeks. They scavenged data, downloaded our files to Russia, and tried to infiltrate our data systems.

The people who hacked us are on the FBI’s list of cybercriminals, and they regularly hit small- to mid-sized businesses. Our advisor told me this hacker will typically request a ransom of $26,000 to $13 million and that victims only have a 20% chance of getting their files back if they pay. They are also known to hit the same businesses every three to six months. Even though our cloud-based databases were not hacked, reports downloaded from those databases were.

We were without access to our electronics for 10 days, and we had to use a backup that was from another 14 days before that. We had to replace servers and computers as well as download and delete files and software.

No one is too small to get hacked. There are bad guys out there, and they are targeting our industry. Now is the time to check your coverage, security, and policies.

1. Hire a cybersecurity team, and contact law enforcement. These can be very expensive, but they are necessary. The team will be in your system, isolating each computer and server and doing the forensic analysis, which your regular IT guy probably doesn’t have a clue about. I took the time to get bids, which ranged from $38,000 to $85,000 for two to four full days. For reference, we only had 20 units and a combination of computers and servers. If your community or company is bigger, expect more expensive quotes. You also should report the breach to the FBI, the government’s Internet Crime Complaint Center, and local law enforcement.

2. Hire a cyber breach attorney. They will help you determine what notifications are required once you get the forensics defining what information was breached. In California, data breaches are governed by Civil Code 1798.82, which supersedes the Davis-Stirling Act (state law governing community associations). Expect a lot of interaction with the attorney on what the community is legally responsible for.

3. Send notifications to those impacted by the breach. Let residents, staff members, and business partners know if their financial information or personal identifiers were breached. If personal identifiers were accessed, ransomware insurance provides at least a year of identity protection costs for every person affected.

4. Check your cyber insurance policies. Cyber insurance and cybercrime insurance are different. If you suffer a breach and don’t have ransomware insurance, it will cost a lot of money, time, and credibility with your clients and staff.

5. Improve your security and update your policies. Beef up your computer security with approximately five different authentications and next-generation antivirus software. Develop updated computer policies, and determine what is safe to store on computers. Make sure your digital backups go back at least 14 days.

HOAresources.com explores questions and comments from community association members living in condominiums, homeowners associations, and housing cooperatives. We then assemble trusted experts to provide practical solutions to your most commonly asked, timely questions. We never use real names, but we always tackle real issues. Have a question or comment about your community association? Submit here for consideration: