30-Nov-21 – A ransomware attack on a property management company in Chicago did not get ransom but exposed personal information about unit owners and prospective unit owners at John Hancock Center.

Cancelled checks, credit reports, and loan documents were exposed in the attack that was first noticed by Sudler Property Management on October 31.

At a meeting on November 15 of 175 East Delaware Place Homeowners Association, Alfred Saikali, a privacy and data security lawyer with Shook, Hardy & Bacon in Miami, told owners there is evidence their name, address, and bank account information were “probably taken” if they paid Sudler with a paper check.

(Left) November 15 meeting of the homeowner’s association at John Hancock Center, at which unit owners learned more about the data breach.

The news was worse for prospective unit owners whose credit reports were shared with Sudler. Those reports may have been taken, including their name, address, social security number, date of birth, and some bank account information.

And loan documents may have been intercepted that included the name, contact information, social security number, date of birth, and driver’s license of board members who obtained loans on behalf of the association.

Saikali said the attack, described by Sudler as “sophisticated,” was discovered when certain computer files could not be accessed because they had been encrypted by an unauthorized third party. He says the files were restored from a secure cloud-based backup.

“It allowed them to become operational again, fairly quickly relative to how other companies experience these incidents,” said Saikali (right). When Sudler notified the HOA on November 9, they thought only the association’s bank account number and routing number had been accessed. However, by November 12, they realized more information may have been taken.

Sudler called the conclusions “preliminary” but advised unit owners to monitor their bank accounts for unauthorized activity. Saikali also recommended they implement multi-factor authentication – for example, a password plus other identification such as a code number sent to them by text – on accounts where sensitive information is at risk.

He said once more is known about the incident, “within a month or two,” Sudler will send a formal notice to owners and, if a social security number or driver’s license was exposed, offer credit monitoring.

Paying ransom not an option

Saikali says the FBI, Illinois Attorney General’s office, and other law enforcement agencies were notified about the ransomware attack. Paying the ransom, however, the amount of which he did not disclose, was not an option.

“With ransomware, there is a [federal government] list of...threat actors or terrorists that you [are] just not allowed to make any payments [to],” he said. “If you do it, you potentially go to jail and face civil sanctions.”

Saikali, who says he has handled more than 1,500 cybersecurity incidents, says Sudler is still investigating the incident but has addressed the “underlying vulnerability” that led to the attack. “What I can say from my personal experience is that...if there’s any silver lining in it, that companies really learn their lessons and they...implement much stronger security measures,” said Saikali at the November 15 meeting. “But I represented...some of the top Fortune 50 companies that spend billions of dollars in security, and they still have these major data breaches.”

Saikali says regardless of how much an organization spends on cybersecurity, there will always be a risk of a data breach.

“It just happens, unfortunately,” he said. “It’s the world we live in. I’m not saying that excuses it. I’m just saying that’s just sort of a reality of doing business these days.”