Waverley Housing was subject to a significant cyber ransomware attack on Saturday 4th April. Hackers deleted files from the company’s servers and encrypted others. The purpose of the attack appears to have been to extort monies from Waverley Housing.
Tenants and other customers of Waverley Housing have been notified regarding this matter.
REPORT TO ICO
Following our report to the ICO on 6th April 2020, the ICO has given its decision not to take any regulatory action against Waverley Housing.
Nevertheless, the ICO did state that it was likely from the evidence we submitted to them that we did not process personal data with an appropriate level of security which allowed the attack to take place. However, we maintained a low level of risk to data subjects and that, along with other factors, such as the duration of the breach, our quick reporting to the ICO, the lack of evidence to suggest data exfiltration or access to sensitive data, nor any reported detriment to those whom may have been affected, formed part of their decision-making not to take regulatory action against us.If further information to that reported comes to light, we have undertaken to update the ICO accordingly. The ICO’s decision letter is available here.
We continue, along with our ICT specialists, to work towards full recovery of our systems and will address any weaknesses which may be identified during this recovery work.
For information please read our prepared responses to questions we think you may be asking below. We will update this section as more frequently asked questions arise.
CYBER-ATTACK – FAQs
When did the attack occur?
It occurred on Saturday 4th April and was detected by our IT staff on Sunday 5th April.
Why have we not been told until 8 April?
It has taken a couple of days to undertake an assessment of the extent of damage to our IT systems and we needed to obtain specialist support to complete this exercise.
What measures did you have in place to protect your IT systems?
We had in place a range of measures including the following:
-appropriate boundary firewalls and internet gateways
-secure configuration to only allow staff limited access to the IT services they required for their job
-access control – administrative access only available to our IT staff
– appropriate malware/anti-virus protection in place
-software regularly updated with the latest security patches installed
-our IT security is regularly assessed by an external IT support company
Will my personal information be available to the hackers?
It is not possible for us to be certain about this as the hackers have destroyed some files and encrypted others. We feel that the motivation for the attack has been to extort monies from Waverley Housing rather than trying to gain access to resident’s personal information. Most personal information we hold is related to residents’ name, address and contact details which is information that is usually in the public domain. However, we recognise that there is a possibility that the hackers could access some sensitive personal information that has been provided to us.
If any tenants or other customers consider their personal data may have been affected, please contact us on (01450) 364200 and press Option 4 to discuss with a member of our staff
Have you notified the appropriate authorities
We have notified the Information Commissioner’s Office (ICO) as mentioned above, the Scottish Housing Regulator and Police Scotland. We will continue to liaise with each organisation as the situation develops.
Are you sure my bank account details are safe?
Yes, we are sure that we do not hold information that would allow hackers to access your bank account. If you have any concerns about the security measures you have in place to manage your banking arrangements you should speak to your bank about this.
Can I still pay my rent over the telephone and will my payment be secure?
Yes – all payments received by telephone remain secure.
How much is this going to cost Waverley?
It is too early to confirm the additional costs that we will incur in sorting out this cyber attack however it should be noted that we have an ongoing contract with an IT company and as part of that contract they are providing some of the support we need to resolve this matter. In addition we have been in touch with our insurers and are confident that we will receive some support to meet the costs of this exercise.
Have the hackers demanded a ransom and are you paying it?
The hackers have demanded a ransom and we are not paying it.
How can you ensure that this will not happen again?
No company can 100% be sure that it will not suffer from a cyber-attack and as we work to return our IT systems to normal we will be undertaking a lessons learned exercise where we identify actions we need to take to make our IT systems as robust as possible to withstand any future cyber-attack.
When will your IT systems be back to normal?
We continue to focus on restoring all of our systems to normal. Whilst this has taken longer than we had anticipated, we hope to be back to normal very soon. We are continuing to provide services, albeit restricted as a result of coronavirus. You should continue to contact us if you need to speak with us, for example, to report an essential or emergency repair.
Will you be keeping us updated?
Yes as we continue our work on this matter as and when there is relevant information to share with our tenants and customers, we will do this.
I am not happy about the way Waverley has dealt with my query about this matter?
We are sorry if you feel unhappy with our response and if you still feel dissatisfied then you can use our complaints process to register a complaint with us.