We have unfortunately identified unauthorised data access to our RentPro product database in the latter half of last week, which may potentially constitute a data breach.
We say "potentially" because our investigations to this stage do not give us any reason to believe that malicious intent is involved, nor do we have any reason to suspect any sensitive data has been taken. However, any unauthorised system access is a contravention of the Computer Misuse Act, and as we take your data security and protection very seriously we have a clear duty to keep you informed of any such activity.
We understand that any potential security breach can be very alarming and confusing, so we've put together this plain English article explaining the following:
- what happened
- what action we have taken
- what information was involved
- what else are we doing
- what you can do
With a long history in web application development, our team has always taken data security very seriously, so we are both alarmed and embarrassed that someone has found a chink in our armour and potentially been able to access some of the data entrusted to our care.
On Wednesday afternoon we received an email from an "ethical hacker" alerting us that he had identified an issue with our application security and had been able to access up to 1000 rows of user account data. He did not issue any threats, rather his tone was one of scouting for business in order to "alert us and help us resolve these issues". However, his action represents a clear breach of the Computer Misuse Act and we are treating it with the appropriate seriousness.
What action did we take?
We immediately initiated our data breach procedures, in liaison with IT Guarded, a Belfast-based cybersecurity company who are experts in the industry, and identified that this person had signed up for a free trial the day before and had been probing the system for security vulnerabilities after having logged in as a trusted user.
We immediately locked access to that trial account and have temporarily disabled further automatic trial signups via our website to prevent a subsequent signup during our investigation stage. Initial investigations reassured us that the data was not accessible unless via a logged-in account, but once logged in this person was able to perform a "SQL injection" into the system.
SQL injection basically means that a suitably-skilled "hacker" can submit a specially-formatted text string into a vulnerable form within the system and disrupt the normal designed operation to gain unauthorised back-door access to the database.
We have not engaged in any way with this person, and have seen no further access attempts to the system since his first and only contact.
The unauthorised access has been reported to the UK's Information Commissioner's Office (ICO), and a report has also been submitted to the Police Service of Northern Ireland's (PSNI) cyber-crime unit. We have been liaising with the ICO and PSNI on this case, and they have advised that you do not need to report this incident to them separately.
What information was involved?
As far as we are aware, the hacker gained access to up to 1000 rows of user account data, including user names, email addresses and encrypted passwords. This point is important. No readable passwords have been compromised, but as explained below, we are now prompting all users to change their passwords as an extra precaution.
All passwords are encrypted using a secure one-way encryption algorithm, which means neither we nor anyone else can read them directly without a secret "hash key" which is stored on a separate server which has not been compromised. All bank account details (account names, account codes and sort codes) are also securely encrypted using the same mechanism.
While we have no evidence that any other data has been taken, we should point out that tenant, prospect, landlord and supplier personal details are not encrypted on the database and could be read by anyone if they should gain access to those tables. Details of financial transactions are also not encrypted but these are stored against IDs instead of people, and would require additional processing to be performed to make sense of these.
Documents and file attachments which have been uploaded by users for storage in the system are stored in a separate part of the system and have not been accessed.
Our investigations at this stage lead us to believe that the ShowHouse product database has been unaffected.
What else are we doing?
We are continuing to scan our system this week but are confident at this stage that we have plugged the security gap in question, and just wish to have this validated by the cyber-security company we are working with.
Although we adopt security best practice as standard and conduct regular security audits, we have obviously slipped up somewhere along the way in relation to screening data submitted from users via a small number of forms, and we accept full responsibility for this and fully apologise to you, our trusted customers.
If you are wondering why we have waited a number of days before alerting you to this incident, this has been a deliberate decision to allow us to lock down the system, gauge the scope of what has happened, identify the security vulnerabilities involved and get these plugged so that any other ill-minded individual is not aware of these. We have been working with cybersecurity consultants to get the system fully secured again before informing users.
This could not have come at a worse time for us since we are fully involved in reviewing all of our security processes, policies and procedures in preparation for the GDPR deadline on 25 May 2018. One of these upcoming tasks has been to perform fresh scans for potential vulnerabilities, but it seems someone has beaten us to that. We will be communicating these updates in the next couple of weeks, but this incident in the midst of our preparations is extremely embarrassing.
What you can do?
Although any password data which may have been accessed is securely encrypted, we will be forcing users to update all passwords as a precaution. As in any case like this we advise that you change passwords on any other systems which may use the same password.
We have already completed work on enforcing a strong-password policy as part of our GDPR compliance efforts, and will be releasing this very soon. In the meantime please use a password of at least 8 characters, with at least one lower case and capital letter, one number and one symbol.
Whilst we don't have any evidence that tenant or landlord information has been taken, you should make your own decision on whether you wish to inform your data subjects of this incident, in your role as a data controller.
Although we are confident that the threat has now been addressed, we ask that if you notice anything suspicious on your account or receive any suspicious correspondence (email or phone) purporting to come from RentPro that you contact us for reassurance.
You do not need to inform the ICO as they already have a case open on this matter.
Where to find more information
We ask that you please accept our most sincere apologies for allowing any element of your valuable data to be comprised, no matter how small. In our 14 years of business, this is the first such incident of this nature. Please trust that we will be extra vigilant in future.
Of course, if you wish to discuss any of this with us directly please drop us an email to firstname.lastname@example.org.