England: Housing association defrauded of almost £1m in cyber scam
A housing association in England has received a governance downgrade after it lost nearly £1 million as a result of a cyber scam.
Red Kite Community Housing, which owns around 6,500 homes in Wycombe, said criminals had mimicked the domain and email details of known contacts that were providing services to the housing provider.
Through this perpetrators managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow-up to an existing conversation.
The landlord said it still had a two-stage process in place to verify changes to payments and accounts, which ordinarily would have caught the attempt, but human error resulted in a missed opportunity to prevent £932,691.48 being taken.
The incident, which occurred in August 2019, was immediately reported to the police, Red Kite’s insurance company and the Regulator of Social Housing (RSH).
The RSH has now downgraded Red Kite from G1 to G2 due to a “basic failure” in its system of internal controls.
The regulator acknowledged the landlord met requirements but needed to improve some aspects of its governance arrangements to support continued compliance. It concluded that improvements are required to Red Kite’s control framework to ensure that key financial controls are robust, operating in line with established policies and procedures and with appropriate leadership oversight.
RSH stated that the housing provider has met its co-regulatory obligations in self-referring the matter and is working with Red Kite to address the weaknesses identified.
The judgement said: “Improvements are required to Red Kite’s control framework to ensure that key financial controls are robust, operating in line with established policies and procedures and with appropriate leadership oversight.”
Red Kite said it understands the decision and reassured that its systems were not compromised.
Providing a full and frank account of the incident on its website, the landlord said: “Over the eight years that we have been established, we have built robust processes and systems that have successfully prevented all previous cyber-crime attempts.
“Our sector is targeted by cyber-criminals on an almost daily basis, and we are no different. Our IT systems and teams detect and stop attempts to access information and steal data or money every day.
“We have never been complacent – we have experts regularly try and break into our systems, identify vulnerability and build new defences against new forms of attack, and of course these have been regularly audited and deemed entirely fit for purpose.
“I’m sure that we are no different in these respects from many other housing associations.
“But what happened to us this time was different and it has brought home to us that you can never drop your guard for a moment, no matter how safe you think your systems are.”
Red Kite added: “We can’t begin to describe how much time and effort it has taken to investigate, review and audit systems and keep our stakeholders, including our members, updated. We brought in an internationally renowned cyber-specialist organisation to help identify what happened and to find evidence that we could pass onto the police and to thoroughly test and report on our systems.
“We are reassured that our systems were not compromised. However, that does nothing to ease the pain of the situation. As such we have continued to build additional security measures into our IT and to review completely all our processes in relation to payments in order to minimise the chance of a single point of weakness occurring in the future.
“Most importantly, we have strengthened further our staff training in the risks.
“One key lesson is that no matter how good you believe your systems to be, the human dimension will always be a potential weakness. By talking about this openly, we hope that colleagues in the sector reflect on their own systems and take the opportunity to ensure that this doesn’t happen to them.”