“WhoComplies” sends along word of his frustrating experience dealing with his child’s apartment complex in California. The complex is owned and operated by Essex Property Trust. Essex is a real estate investment trust (REIT) that acquires, develops, redevelops, and manages 140 multifamily apartment communities in California and Washington.
To make monthly rent payments, WhoComplies decided to register for Essex’s online payment system. The apartment manager’s officer provided him with the registration code he needed, and off he went to register on Essex’s site.
Only after completing registration for online payments on Essex’s site, though, did Essex display a splash screen informing users that they had experienced a suspected cyberattack that a forensic firm was investigating.
“Seriously, you tell me this “NOW” after I registered for the online payment system?! Why wasn’t it shut down ????” WhoComplies writes to DataBreaches.net. It’s a good question.
WhoComplies left an (understandably) irate voicemail for Essex.
“Later in the day I received a voice message from the Essex front office. The woman stated they were experiencing “PROBLEMS” with their system and they preferred I send a paper check for my child’s rent. Not one word about hackers or a data breach,” WhoComplies writes.
There is no statement about the suspected breach on Essex’s web site. In an emailed statement to those potentially affected, Essex writes, in part:
From: Resident Notification
Sent: Friday, October 3, 2014 5:04 PM
To: [REDACTED]
Subject: A notice from Essex: Help protect your identityOctober 3, 2014
Dear Valued Resident,
We appreciate your patience and support these past few days, as residents and employees react to the disclosure of the cyber-attack on Essex’s computers. We share and understand your frustration, and want you to know that we are listening. We promised to update you periodically, which is the purpose of this letter.
Many of our residents and employees have asked why we announced the cyber-attack before completing our investigation. The simple answer is that prompt disclosure is in the best interests of everyone involved because it allows greater awareness and sensitivity to possible problems, allowing us to react quickly and thoughtfully. At this point, we have no evidence that any resident or employee information has been misused. We intend to be direct, transparent, and proactive about what we know, so that everyone who is affected can be alerted to suspicious or fraudulent activity. If we learn that any individual’s information has, in fact, been compromised, we will promptly and directly notify that individual.
We are committed to doing all that we can to answer your questions and offer our support as our team works to uncover additional information about the cyber-attack into our network. As you know, cyber-attacks on Americans are increasing in frequency and cyber-criminals have become very sophisticated. In response to this condition, there are companies that specialize in response to such attacks. That is why we have partnered with AllClear ID (our helpline), a team of professionals who specialize in identity theft protection solutions; they have the ability to field your questions and provide helpful resources in a timely manner.
Again, we want to emphasize that there is no evidence so far that any individual’s information has been misused, and we understand the need for resources and steps to help safeguard your personal information in light of the potential risk from this cyber-attack.
At the end of this letter is an outline of some steps you can take to protect your identity. In addition, out of an abundance of caution, we are putting together a plan to provide identity theft protection services to our current residents and employees. We will provide additional information about those services very soon.
In the meantime, we encourage you to call the dedicated helpline we have established at 1-855-398-6434 if you have questions or concerns. We are working closely with AllClear ID to ensure they have the most up-to-date information on this situation.
On behalf of everyone at Essex, I want to reiterate that we share your concern and frustration, and we are taking this matter very seriously. In addition to assisting residents and employees, our focus is to complete a thorough investigation using third-party computer forensic experts and keep you informed of any developments.
Thank you for your patience and support.
Michael Schall
President and CEO
Essex Property Trust
The remainder of the letter provides tips for people as to how to protect their identity.
Notice that the letter does not state what kinds of personal information may have been compromised, nor how many people might be affected. Nor, for that matter, does it state when the breach occurred or how it was detected. Of course it’s possible that they don’t yet have that information, but as WhoComplies notes, Essex’s online payment portal accepts ACH bank payments and payment card transactions for rent.
I give Essex credit for not waiting until their investigation was complete and for trying to be proactive, but then be proactive – don’t allow people who are not already at risk to input their personal information until you’ve ensured that your system is secure. And if you say you want to be transparent, then be transparent – tell people what types of information you have stored about them that might have been compromised. Otherwise, why would they make serious efforts to protect themselves?