30-Nov-21 – A ransomware attack on a property management company in Chicago did not get ransom but exposed personal information about unit owners and prospective unit owners at John Hancock Center.
Cancelled checks, credit reports, and loan documents were exposed in the attack that was first noticed by Sudler Property Management on October 31.
At a meeting on November 15 of 175 East Delaware Place Homeowners Association, Alfred Saikali, a privacy and data security lawyer with Shook, Hardy & Bacon in Miami, told owners there is evidence their name, address, and bank account information were “probably taken” if they paid Sudler with a paper check.
The news was worse for prospective unit owners whose credit reports were shared with Sudler. Those reports may have been taken, including their name, address, social security number, date of birth, and some bank account information.
And loan documents may have been intercepted that included the name, contact information, social security number, date of birth, and driver’s license of board members who obtained loans on behalf of the association.
Saikali said the attack, described by Sudler as “sophisticated,” was discovered when certain computer files could not be accessed because they had been encrypted by an unauthorized third party. He says the files were restored from a secure cloud-based backup.
Sudler called the conclusions “preliminary” but advised unit owners to monitor their bank accounts for unauthorized activity. Saikali also recommended they implement multi-factor authentication – for example, a password plus other identification such as a code number sent to them by text – on accounts where sensitive information is at risk.
He said once more is known about the incident, “within a month or two,” Sudler will send a formal notice to owners and, if a social security number or driver’s license was exposed, offer credit monitoring.
Paying ransom not an option
Saikali says the FBI, Illinois Attorney General’s office, and other law enforcement agencies were notified about the ransomware attack. Paying the ransom, however, the amount of which he did not disclose, was not an option.
“With ransomware, there is a [federal government] list of...threat actors or terrorists that you [are] just not allowed to make any payments [to],” he said. “If you do it, you potentially go to jail and face civil sanctions.”
Saikali says regardless of how much an organization spends on cybersecurity, there will always be a risk of a data breach.
“It just happens, unfortunately,” he said. “It’s the world we live in. I’m not saying that excuses it. I’m just saying that’s just sort of a reality of doing business these days.”