Moving home can be a very stressful time. However, imagine finding out on your moving date that you can’t move because of a website outage. That’s exactly what happened this week to a number of people who should have been on the move.
On the 8 November 2011 MyHomeMove Conveyancing announced on Twitter:
Purplebricks is one of many companies that use this company for conveyancing. A spokesperson for the online estate agent said “Less than 100 Purplebricks customers have been affected and have had their completion date delayed.”
The Simplify Group
A spokesperson for Simplify Group, which manages communications for Premier Property Lawyers (part of MyHomeMove Conveyancing), said in a statement:
“Following preliminary investigation of our IT system outages, we became aware on 8 November 2021 that parts of our business have been subject to a security incident involving some IT systems. We have been working with our third-party cyber specialists to restore systems, find ways to support our clients’ property transactions and undertake a thorough investigation to gain a fuller understanding of the incident. We have also taken steps to report the incident to relevant authorities and to contact clients, partners, and others we work with.”
Relevant authorities could include the National Crime Agency (NCA), the Solicitor’s Regulation Authority (SRA), Council for Licensed Conveyancers or the Information Commissioner’s Office (ICO).
Meet one of the victims
Steve Hinder, a self-employed software developer, was supposed to move house on 9 November. He received a call around 10.30am from his solicitor, saying they had a problem but not to worry as she had a solution. She said that the systems/phones/emails were all down but “as we were buying and selling at the same price it didn’t matter and we could carry on”. Hinder says “I couldn’t get my head around how that could work but I trusted her word”. He continued “However, at around 11.30am she phoned to say that we couldn’t complete.” Frustrated with the lack of information given, other than “systems down”, he had two trucks full of the family’s possessions that they couldn’t get at.
On 10 November a Simplify Group spokesperson said “We have now restored our IT systems to be able to process payments to enable clients to move and we have been working through the night on the backlog from and over the coming hours will continue to proactively contact clients who are scheduled to complete and provide all the support we can to our clients and partners.”
That support hasn’t been good enough for Hinder and his family, who did move on the afternoon of the 10 November but only with as much as they could pack into two cars for the family of four, to keep them going until Saturday.
“The removals company said that they would have to pay again to have it delivered on another day and the solicitor has said they will cover reasonable expenses.”
People often stretch themselves financially to move home so incurring extra cost is extra stress. Hinder has already been told that the removal company want another £1500 for storage and new delivery date. He has been told to keep costs “reasonable” and they will be paid but he has no confirmation that this unavoidable cost will be paid.
Being self-employed and based at home, he will be unable to work without a desk or computer. He says that it is going to cost him hundreds of pounds in lost earnings.
This is how the Hinder family lived until the rest of their belongings arrived, three days later.
Despite people not being able to move and the concern that has been caused, the company is causing more worry by not being transparent about the details of the outage. A number of emails to their press office could not elicit details of how many people had been affected. Nor would they say what agencies had been informed. Customers have specifically asked if there has been a breach of data but are not getting answers. Hinder said “I can’t get any information from them regarding any potential risk to our data which I feel they should be telling us.”
The Simplify Group reported the incident to the ICO [on 10 November]. A spokesperson for the ICO said “The Move Factory Holdings Limited has made us aware of an incident and we are making enquiries.”
If the Simplify Group has been the subject of a personal data breach, by not informing customers they are choosing to put those customers at the risk of fraud.
A Simplify spokesperson sad “At this stage of the investigation, we are not currently aware of a personal data breach. The current issues relate to the temporary inability to access some of our IT systems, which has regrettably prevented the completion of some transactions, and we are working hard to find further solutions. We continue to investigate and assess the situation, conscious of our responsibilities regarding the data we hold.”
Fraud and scam expert, Paul Newton of Mind Theft, says that it looks like it could be a failure of internal equipment. But his bigger worry is the possibility of a hack:
“If this is purely a denial of service attack (DDOS) then, while it’s a nightmare for the company, at least all data should be safe. What I am really worried about is if this is a targeted attack and people’s personal information has been taken. Just think about how much information you need to provide when selling or buying your house. The repercussions from a successful attack on that scale could be seen for years to come”.
He advises everyone to start using a password manager and set up two factor authentication on all of their accounts immediately.
James Bores runs Bores Cyber Consultancy. He says that the Simplify Group has shared very little useful information to understand the incident that they were dealing with. However, the fact that it has impacted subsidiaries across the group and blocked property transactions is a sign that it is not a minor issue. Bores comments:
“They seem to be playing it close to their chest, which frankly is rarely a good sign they know what they’re doing. Real estate is a prime target for fraudsters and organised cyber criminals either with general attacks, or by misdirection of deposits and payments through Business Email Compromise attacks (BEC) which impersonate third parties to change banking details. Previous cases show that the biggest damage to trust in a company doesn’t come from the incident itself, but often the poor communications surrounding it as organisations try to keep ’embarrassing’ information internal and out of the public eye. Companies should be prepared for these incidents, with training exercises available to test their incident response plans against different attack vectors and clear, transparent communications to customers.”
He is also concerned about the company employees using personal phones. “If you allow people to use personal devices rather than company devices you need to put the right protections in place, and it makes things complex. Many companies with a BYOD (Bring-Your-Own-Device) policy don’t really understand the risk that they pose, or put the right controls in place to protect the company from the personal device (or vice versa).
Even more so for companies that were previously office-based and went remote at very short notice, they often have rushed to put systems in place that are not really fit for purpose and haven’t been designed with security in mind, putting customers, staff, and the company at risk of various attacks.”
Legal law firms are growing in popularity as victims of organised cyber crime for various reasons, largely centred around the trust that clients place in them. The Solicitors Regulation Authority (SRA) published a report Cyber Security – A thematic review in September 2020 outlining the issues and the action that law firms must take. It says
“We have warned the profession about the dangers and need to be vigilant against cybercrime for a number of years. Whether by use of spyware, identity theft, viruses or simply tricking people to reveal sensitive data, cybercriminals are always attempting to find new victims and weaknesses in defences they can exploit.”
Bores says “The threat of both organised and opportunistic cyber crime is only increasing, and companies which do not properly invest in the security measures needed to protect their customers will only find themselves targeted more and more.”
News from MyHomeMove Conveyancing updated people on Twitter on 15 November 2021 but as of 21 November 2021 it still has not updated people.
The Simplify Group and parts of the businesses affected should have cyber insurance to cover claims by people affected.
The company should be responsible for consequential losses, meaning that they should pay for any additional costs that victims have incurred. But people will need to check the terms of business that they signed.
Their company insurance policy should cover their losses. The company will also probably have to pay any costs incurred on credit cards for those who used them for out of pocket expenses. They should be able to claim removal costs, storage costs and hotel accommodation if they had to stay elsewhere overnight. The loss of income is a grey area as the loss usually has to be foreseen i.e. did MyHomeMove know their client worked from home? Then they would look at usual potential downtime for a move.
This could take a long time to resolve!