Anywhere data breach affects 17,000 customers

Anywhere Real State suffered a data breach in August that affected 17,429, the company notified impacted customers.

A notorious ransomware and extortion gang known as Clop gained access to the company's Oracle E-Business Suite environment and viewed or copied sensitive customer data, according to a notice with the Office of the Maine Attorney General. Anywhere said in a letter to potentially affected customers that names, addresses and Social Security numbers may have been compromised.

Customers were notified Jan. 30 after the company, based in Madison, New Jersey, discovered the breach Dec. 17.

"Late last year, Oracle disclosed a global software vulnerability. Following a thorough review, we identified limited impact which ultimately allowed access to historical employee data. Impacted individuals were notified directly and offered complimentary credit monitoring and identity protection services," an Anywhere spokesperson told National Mortgage News. "There was no impact to business operations, and no consumer transaction data was involved."

Clop attacked Oracle's enterprise resource planning platform in August to gain access to its customers' data, exploiting a zero-day vulnerability in the software. 

The group went undetected for weeks, exfiltrating large volumes of files, before sending hundreds of extortion emails on Sept. 29 using compromised email accounts, demanding ransom payments under the threat of leaking data, according to BlackFog. Union Home Mortgage said last month it paid a ransomware gang to delete sensitive data they stole in a cyberattack last year.

By breaching a common platform, Clop hit many companies at once, including Anywhere, American Airlines and Harvard University, BlackFog reported. Oracle deployed "critical patches" to address the vulnerability.

Anywhere, one of the largest residential real estate services companies and parent company of Century 21 and Coldwell Banker, was officially acquired by Compass last month, merging more than 200,000 real estate agents in the United States alone under one roof.

In the letter, Anywhere said it noticed a cybersecurity incident on Nov. 24, and, upon investigation, found information about franchisees and brokers had been downloaded and exported. 

The company said it worked "swiftly to remediate the vulnerability" once Oracle alerted it and has taken steps to minimize similar risks. Anywhere is also providing customers impacted with access to two years of complimentary credit monitoring and identity protection through Experian.

Multiple lenders endured breaches last year, and face subsequent lawsuits as a result. SitusAMC is one of the most recent real estate companies to enter a legal dispute over a data breach in the fall. 

Anywhere settled a lawsuit last January over the Telephone Consumer Protection Law Act that was on the brink of jury trial for $20 million. 

Nothing yet has been filed against Anywhere or Oracle.