An increase in the number of cyberattacks against U.S. Housing Authorities – and public sector entities overall – reinforces the need for the highest levels of vigilance and security given the sensitive information their systems contain about residents, employees, suppliers, and more.

According to BlackFog.com, which issues monthly reports on publicly disclosed ransomware attacks (and is adding undisclosed attacks this year), “So far, the first two months of 2023 are showing more reported attacks than in prior years.” The site estimates the percentage of attacks unreported has increased by 543%. In 88% of attacks, data is taken. The average ransom payment in the U.S. as of the third quarter of 2022 reached more than $408,000.

In recent months and years, the frequency of attacks on public housing authorities has increased dramatically.

As reported by the HAI Group – a member-owned insurance carrier founded by and dedicated to public and affordable housing communities – in September of 2021, a housing authority was the target of a cyberattack. A file containing passwords was stored on its main server and enabled cyber criminals to access and lock its main server, resulting in the authority paying a ransom. (To learn the full story, the impact of the attack, and what the housing authority did following the attack, view this 15-minute YouTube video made by the HAI Group in conjunction with the housing authority: The Anatomy of a Cyberattack.)

Techcrunch.com reported that in early 2023, another housing authority confirmed that it was investigating a cyber incident that occurred last November. It came to light in January, when LockBit ransomware gang claimed responsibility for stealing 15 terabytes of data – including personal information about housing assistance applicants, payroll, and accounting. Sample files were uploaded to the dark web with a threat to publish all of the information in late January. It is purported that the agency did not meet the cybercriminals’ ransom demands.

According to TheRecord.Media, in January of this year, yet another housing agency began notifying over 212,000 people that private information about them and possibly their children was leaked in an attack that started last September. The data leaked included Social Security Numbers, names, addresses and birthdays. In addition, the agency was unable to send checks to 8,000 Section 8 federal housing choice voucher program landlords (resorting to manual distribution). Victims have received 12 months of identity protection services, including theft recovery and a $1 million reimbursement policy.

What can your housing authority do to protect its systems and data from ransomware attacks? As reported on HAI.com, “There’s cybersecurity help available, and it comes at no cost to public housing organizations. The Multi-State Information Sharing & Analysis Center (MS-ISAC)–operated by the Center for Internet Security and recommended by the U.S. Department of Homeland Security—provides various free cybersecurity services to U.S. state, local, tribal, and territorial government entities, including public housing organizations.”

More is coming as new laws take effect and evolve; government leaders advocate for new and stronger regulations; the White House issues a new National Cybersecurity Strategy; CISA launches new tools like the Ransomware Vulnerability Warning Pilot; and more.

No doubt, cybersecurity demands an all-hands-on-board approach for housing authorities. To free you up to focus on this and your housing authority’s many other responsibilities, RBT CPAs is here to partner with you on accounting, tax, audit, and advisory services. We’re a leading accounting firm in the Hudson Valley and have been supporting government agencies for over 50 years. To learn more, give us a call.

Please Note: RBT CPAs is an accounting firm – not a technology or security agency. This article is meant to provide an update on the state of cybersecurity for housing authorities, but is in no way intended to provide advice or direction. Please consult the appropriate authorities for cybersecurity planning, direction, and assistance.