Foxtons rejects claims of slow reaction to data leak

Property firm Foxtons has insisted it acted by the book in dealing with an October 2020 cyber security incident after personally identifiable information (PII) relating to an unknown number of customers was found circulating on the dark web.

The initial attack took place on 16 October and forced the firm to take its customer portal offline. It informed the relevant authorities of the incident, which it described at the time as a “limited malware virus” which affected multiple other companies at the same time, and said it was not obliged to inform its customers because no notifiable data had been compromised.

However, subsequent investigations conducted by the I newspaper have now surfaced 16,000 data records, including card details, addresses and private correspondence. The newspaper claimed the files were published on the dark web about three months ago and have been viewed over 15,000 times since then.

The data is understood to date to before 2010, so much of it may be too out-of-date to be much use to cyber criminals, but investigators claim to have found that up to 20% of the card data may still be valid. The newspaper also said it had seen statements from whoever is leaking the data claiming that, so far, the dump comprises only 1% of the total amount of data exfiltrated.

Responding to this, a Foxtons spokesperson said: “Alexander Hall, Foxtons’ mortgage broking business, was subject to a malware attack in October 2020 that affected a number of other organisations. Some IT systems were affected for several days, but were restored without significant disruption to customers.

“We have forensically been through all the stolen data and confirm it is both old and incomplete, therefore not usable by a third party and not possible for it to cause financial loss or harm to those affected customers.

“All necessary disclosures have been made and full details of the attack were provided to the FCA [Financial Conduct Authority] and ICO [Information Commissioner’s Office] at the time. We are satisfied that the attack did not result in the loss of any data that could be damaging to customers and believe that the FCA and ICO are satisfied with our response.”

But even having acted properly under the circumstances, the incident appears to have exposed some flaws in Foxtons’ approach to data security, as Skurio CEO Jeremy Hendy pointed out.

“With businesses holding sensitive data on thousands of individuals, it has historically been difficult to detect breaches and leaks from those customer datasets,” he said. “It is therefore important to routinely monitor for exposed data outside the organisation’s network as it is critical to know it’s happened as soon as possible – and then act immediately.

“Early breach detection is a fundamental expectation of the GDPR [General Data Protection Regulation] and companies that take a lax approach can expect to face growing regulatory fines.”

Javvad Malik, security awareness advocate at KnowBe4, urged caution when assessing the provenance of the data.

“Criminals are continually evolving their methods and ways in which they can extort victims or cause embarrassment,” he said. “Anyone can publish details on the dark web claiming it comes from a breach, but people should be careful before jumping to conclusions.

“However, if someone suspects their details could have been exposed in any breach, they should ensure that any passwords that may have been compromised are changed, not only on the impacted service, but also on any other sites which may have used the same credentials.

“Similarly, people can set up credit monitoring, and be wary of any unsolicited emails or calls they may receive regarding the breach, or claiming to be from the company. Criminals will often try to scam impacted users, adding further insult to injury.”

Cortex Insight CTO Stephen Kapp agreed that whatever the full facts of the incident are, Foxtons customers would be best advised to take steps to protect themselves from identity theft and future fraud attempts.

“Foxtons customers should take some time to validate payments and potential credit history interactions since October and flag anything suspicious to their bank,” said Kapp.

“Even though a subset of the entire customer data has been leaked, with the attackers claiming they have the entire data and they have released only 1% publicly, it doesn’t mean it hasn’t been shared and exploited privately.”