Domino Effect: A Third-Party Vendor's Ransomware Crisis Became Our Own
In August 2023, many real estate agents nationwide woke up to a dire situation; they couldn't manage any of their listings because a significant cyber attack downed the multiple listing service (MLS) they were using. For two weeks, agents and home buyers scrambled to find workarounds, some even resorting to pen and paper. It all exacerbated the already chaotic housing market in San Francisco.
It would take 14 days before the system was restored. "It was the longest period a real estate system has been out in America ever," says Jay Pepper-Martens, Chief Technology Officer of the San Francisco Association of Realtors (SFAR). Their organization was the one handling the management of the downed MLS. However, they weren't the ones targeted by the attack. It was a third-party vendor called Rapattoni that was hit. The vendor provided the interface and backend software for MLS systems nationwide, causing a domino effect that would impact everyone using their software, including the SFAR MLS.
Intelligent Technical Solutions (ITS) is a cybersecurity service company that has worked with SFAR for years. Just a year before the incident, our teams had been working with them to develop infrastructure to respond to a third-party breach. While the incident happened before they had everything in place, their awareness of the threat allowed them to adapt and react quickly to mitigate the impact. Read on to find out how a vendor's ransomware crisis became our own.
Tipping the Domino: Night of the Breach
On August 8th, 2023, the SFAR team held an event for its staff to celebrate successes and discuss plans for the following year. Unfortunately, a critical third-party vendor called Rapattoni experienced a major ransomware event the same night. The vendor provides core technology that gives members an interface and allows them to connect to many interlinked systems. It's also the system SFAR uses on their backend software that enables them to manage their agent body.
It wasn't until the morning of August 9th that SFAR discovered something was wrong with their systems. According to Martens, when they first encountered the downed system, they initially thought Rapattoni was just experiencing a brief outage. It happens all the time; an outage would bring down software, and then it will come back after a certain period, usually within a few hours. It's often inconvenient but not catastrophic.
"We assumed this was routine," Martens explained. "[Rapattoni] has been very reliable, and up to that point, we never had an outage that had that much impact."
According to Martens, they communicated with Rapattoni representatives that morning, who told them they were just looking into a problem. However, hours started ticking by, and there was still no update. That was when Martens suspected that what the vendor experienced was out of the ordinary. That night, a member of Rapattoni reached out to the SFAR team to inform them that the vendor was experiencing a severe problem and that the systems would not be up the next day.
On the morning of the 11th, Rapattoni finally presented a formal notice that they had suffered a severe ransomware attack that took down their core systems. What's worse is that the SFAR team was informed it could take days before the systems were restored.
The Domino Effect: Impact of the Breach
Because of the interconnectivity of modern businesses today, a single cyber attack can spread, impacting everything connected to it. According to Martens, that's what happened with Rapattoni's ransomware incident.
"We weren't the only ones affected. The software we use isn't only used by us; it's used by a number of different organizations across the country," he said. "Cyber attacks have this nasty way of cascading into other people's businesses to really cause damage. Something like 11% to 14% of real estate agents had their businesses affected," he added.
Third-party risks are a major challenge for IT professionals. That's because interconnectivity offers a great boon for businesses that you just can't pass up. Unfortunately, it can also serve as an Achilles heel for your cybersecurity.
According to Rob Schenk, ITS Chief Experience Officer, "There are pros and cons to the interconnected nature of these applications. One of the pros is that you will get this rich information and data from these various systems because they are all interconnected. But the flip side is that if one of those links gets compromised, it ripples throughout the system."
It's just like a line of dominoes. Tipping one over brings those close enough crashing down with it.
Parallel Systems: Surviving the Breach
Martens and the SFAR team have always been focused on cybersecurity, and thankfully so, because that awareness allowed them to respond to the incident much quicker. In 2022, a year before the incident, Martens and Schenk discussed addressing third-party risks. After their conversation, the SFAR team recognized the threat and immediately took action.
"We've been working with other vendors (who were not Rapattoni) on building parallel systems. We've been doing that work speculatively over the past year, so we were able to fast-track it and put it into production to help our members out. But, it wasn't easy," Martens said.
He said they started publishing data using PDFs and then emailing it via their communications tool. Then, shortly after, the SFARMLS team developed an app that members could run on their phone or desktop that allowed them to edit a few listings in the system. By August 22nd, 13 days after Rapattoni went down, their team had implemented a mostly parallel system for their members to use.
"We had a pretty good parallel system going on," Martens said. "Was it perfect? No. Did it satisfy everyone's needs? Absolutely not," he admitted. However, thanks to their quick thinking and proactiveness, the incident didn't get worse.
On August 23rd, the system was finally back online, marking it as one of the longest periods a real estate system went down. While the situation was handled as well as it could have been at the time, it serves as a reminder to everyone to start building redundancies and parallel systems. Because you never know when one of your third-party vendors might experience a similar attack.
Need Help Developing Security Measures for Third-Party Risks?
The key takeaway from Rapattoni's ransomware incident is that you should always have a backup plan and redundancies. That will help eliminate or minimize any instance where you have a single point of failure. Those are essential in mitigating third-party risks. Because while you might be prepared to counter all kinds of cyber attacks, your vendors might not be.
ITS is a cybersecurity service company that has helped hundreds of businesses bolster their cybersecurity efforts and prevent third-party risks. Find out exactly how we can help you by scheduling a free IT security assessment. Or you can check out the following resources for more:
- Kronos Ransomware Attack: Lessons on Third-Party Risk Management
- VIDEO: 7 Best Practices to Limit Cybersecurity Risk from Vendors
- VIDEO: 8 Questions to Vet Potential Vendors’ Cybersecurity
- How ITS Cybersecurity Can Help Your Growing Business