Zoopla has repelled a cyber attack on its Alto property software – with no breach of customer agents’ personal data. It has sent an email to all its Alto customers, explaining the attack – which led to a temporary break in the service – and outlining measures it has taken to prevent a recurrence.
Here is the email in full:
Dear Alto customer,
Alto suffered a service interruption late on 13 December 2019. Here’s what you need to know. What happened? For a short time on the evening of Friday 13 December 2019, a third party gained unauthorised entry to an Alto cache by misusing authenticated login credentials. A cache is a temporary data store which helps Alto perform faster for customers. This resulted in the Alto service being unavailable before we restored the cached records in full in the early hours of Saturday 14 December 2019. Our investigation, which we carried out alongside external cyber security experts, has found that no personal data was accessed, downloaded or otherwise viewed. When did Alto discover the issue? What did Alto do when it discovered the issue? Alto’s security monitoring procedures detected the unauthorised entry shortly after it began. Within an hour, our on-call support team had identified the affected cache and disabled the relevant login credentials. We restored the affected records and the service was fully available by the early hours of Saturday 14 December 2019. We are continuing to work alongside external cyber security experts to identify if there are any further steps we can take to reduce the risk of this happening again. What is Alto doing to make sure this doesn’t happen again? We have: • reset all login credentials for the affected cache; • informed Alto customers through this notification; and • launched an immediate internal review to identify any further steps we can take to reduce the risk of this happening in future. Why is Alto telling me about this? We take security seriously and value our transparent and open relationships with agents. Our investigation has found that no personal data was accessed, downloaded or otherwise viewed, although personal data was temporarily unavailable. As controllers, Alto customers will need to decide whether to notify this matter to EU data protection authorities or to their clients. We do not believe that this is required because there is no risk to their clients resulting from their personal data being temporarily unavailable. We’re very sorry for any inconvenience that this has caused. The security of our systems is our number one priority and we’re here to help if you have any questions or concerns. We’ve set out some other information you might find helpful in the Q&A below. You can also get in touch by contacting your Alto account manager or by contacting [email protected]. Kind regards The Alto Team Alto service interruption – Q&A What has happened? Alto is a cloud-based client relationship management software service used by estate and lettings agents to help manage their relationships with clients. For a short time on the evening of 13 December 2019, a third party gained unauthorised entry to an Alto cache by misusing login credentials. This resulted in some copies of client records held on Alto being temporarily made unavailable before we restored them in full in the early hours of Saturday 14 December 2019. Our investigation, which we carried out alongside external cyber security experts, has found that no personal data was accessed, downloaded or otherwise viewed. Is this a data breach? Should I notify the ICO? We believe that the temporary unavailability of personal data in the cache can technically be considered a personal data breach under the law. This means that Alto has to tell affected customers about it. The law requires controllers of personal data like Alto customers to notify the Information Commissioner’s Office (ICO) about a personal data breach, unless it is unlikely to result in a risk to affected individuals. As controllers, Alto customers will need to decide whether to notify this matter to the ICO or to individuals affected. We do not believe that this is required because there is no risk to individuals. How did you find out about the unauthorised entry? Our security monitoring systems automatically alerted our on-call support team about unusual activity in the affected cache within minutes after the unauthorised entry started. When did this happen? The unauthorised entry into the cache started at 20:45 on Friday 13 December and ceased at 21:12 on Friday 13 December. Was any personal data involved? Our investigation has found that no personal data was accessed, downloaded or otherwise viewed. The cache affected included personal data records relating to clients of Alto customers (for example, contact details and client notes). These records were temporarily made unavailable to Alto customers but were restored in full in the early hours of Saturday 14 December 2019. How many customers were affected? The affected cache included records from all Alto customers. This cache was restored in full in the early hours of Saturday 14 December 2019. What impact was there on the Alto service? The temporary unavailability of the affected cache resulted in the Alto service being unavailable to customers overnight. Service was resumed in full before business hours began on Saturday 14 December 2019. What was the recovery time? The unauthorised entry began at 20:45 on Friday 13 December 2019. Full service resumed by 02:44 on 14 December 2019. Do Alto staff have to do data protection training? All Alto staff are required to complete data protection training when they join Alto. That training is refreshed on a regular basis. |
Source: EstateAgentToday