Real Estate and Rental and Leasing

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank You.

Gracias.

You may now close this message and continue to your article.

  • Resumen

    Web Applications attacks utilizing stolen credentials are rife in this vertical. Social engineering attacks in which adversaries insert themselves into the property transfer process and attempt to direct fund transfers to attacker-owned bank accounts are also prevalent. Like many other industries, Misconfigurations are impacting this sector.


    Frequency 

    37 incidents, 33 with confirmed data disclosure


    Top Patterns 

    Web Application, Everything Else and Miscellaneous Errors represent 88% of data breaches


    Threat Actors 

    External (73%), Internal (27%) (breaches)


    Actor Motives 

    Financial (45%—97%), Convenience/Espionage (0%—40% each), Fear/Fun/Grudge/Ideology/Other/Secondary (0%—21% each) (breaches)


    Data Compromised

    Personal (83%), Internal (43%), Other (43%), Credentials (40%) (breaches)


    Top Controls

    Top Controls: Secure Configuration (CSC 5, CSC 11), Implement a Security Awareness and Training Program (CSC 17), Boundary Defense (CSC 12)


    Data Analysis Notes

    Actor Motives are represented by percentage ranges, as only eight breaches had a known motive. Some charts also do not have enough observations to have their expected value shown.



    SOLD!

    There is nothing quite like that feeling of owning your first home. Moving in, enjoying the smell of fresh paint, and reflecting on all the memories you’ll make. Our data for this vertical indicates that cyber criminals are also being allowed to move right in and make themselves at home. Whether they are attending a showing of your data via Web Applications attacks, utilizing social engineering in the Everything Else pattern or simply being asked to drop in by your employees through an assortment of Miscellaneous Errors, they are certainly being made welcome.  As you can see in Figure 95, it is difficult to state conclusively which of these three patters is the statistical leader but we can assert that they are all in the running. 
     

    Don’t leave the key under the welcome mat

    Although we saw a rather small number of breaches in this sector over the last year, there are some interesting high-level findings to discuss.  As in many other sectors, criminals have been actively leveraging stolen credentials to access users' inboxes and conduct nefarious activities. In fact, across all industries, credential theft is so ubiquitous perhaps it would be more accurate to consider them time shares rather than owned.  Meanwhile, other external actors are relying on social engineering to get the job done. Some of these activities are simply aimed at stealing your data, but in other cases these attacks can be used to tee up a separate assault, as seen in many of the attacks that leverage pretexting.  

  • Figure 95
  • Figure 96 shows how Bad GuysTM 43 exploit the milk of human kindness to dupe well-meaning employees into assisting them to achieve their objectives. They use pretexts to alter someone’s behavior in such a manner that the employee divulges sensitive information, or otherwise unwittingly helps them to commit fraud. One example of this type of social engineering is when the attacker inserts themselves into an email thread regarding the sale or purchase of a new home and convinces the victim organization to transfer funds to attacker-owned bank accounts. It’s worthwhile to make a phone call to confirm details before making this type of significant transaction.


  • You sent that to who?!

    Even though this is the first time we have written an industry section for Real Estate, we have been collecting data on this vertical industry for a number of years. This enables us to analyze how the patterns have evolved over time in this vertical . This year, one of the more interesting findings was the continuity in volume of Errors. These Error-related breaches involve Misconfigurations (forgetting to turn those restrictive permissions on), Misdeliveries (email and/or paper documents sent to the incorrect recipient) and Programming errors (mistakes in code) as seen in Figure (97). These Error actions accounted for 18% of data breaches in the Real Estate vertical. If you do business in this industry we urge you to take time for security awareness training and the implementation of sound policies and procedures.

  • Figure 96
  • Figure 97

43 Surely someone has trademarked this, right?