July 17, 2017
The California Association of Realtors (CAR) suffered a data breach this month. Members of the CAR that use the Real Estate Business Services have potentially had financial and personal data stolen.
CAR are unsure on the number of people who have had their data breached, but some 1,033 members purchased products online from the service during the known time of the attack. A piece of malware had infected the organization’s payment system from March 13 to May 15.
In a letter sent to members at the start of this month, CAR said:
“We recently learned that malicious code (“malware”) uploaded by an unauthorized third party was present in payment processing software used for store.car.org. This malware may have copied and transmitted to an unknown third party personal information that briefly went through our servers during the store.car.org payment processing step of purchases of REBS (Real Estate Business Services) products and services between March 13, 2017 and May 15, 2017.”
CAR has switched its payment provider to address the issue and are now using a PayPal solution. The delay between the incident and informing of members is probably not appreciated by those affected. Especially when a whole host of personal and financial information could have been potentially lost in the data breach. Information including name, address, credit card number, credit card expiration date and, in some cases, credit card verification code could all have been acquired by the culprits.
As mentioned, CAR has switched payment processing and said it has implemented additional security since. It is also offering those affected a year of credit monitoring for free.
The attack is a typical example of this kind of data breach that occurs all too often. Organizations continue to struggle to identify and detect unauthorized activity on their systems. This delay can be damaging to the company, but also damaging to the quality of response. CAR members had to wait a whole month before being alerted of the attack – a lot of damage could already have been done.
Organizations need better ways of detecting unauthorized activity on their systems. That’s where a security ecosystem like GDS can help. Behavioral analytics help spot suspicious activity early on, and let organizations deal with it just as swiftly.