Georgia MLS, which boasts approximately 42,000 subscribers, was hit by ransomware on August 16 that may have resulted in the unauthorized disclosure of subscribers’ login and contact information. The MLS notified its members of the data breach on Thursday, 11 days later.
The breach involved GAMLS’s membership management server, which holds its membership database and stores subscribers’ MLS login details, according to the notification sent to members. The membership server contains each subscriber’s user name, email address, phone number, password for Georgia MLS, real estate license number, and any mailing address the MLS may have on file.
John Ryan, Georgia MLS’s chief marketing officer, told Inman via email that on the afternoon of August 16 an employee detected unusual activity on the server and the MLS believes the breach occurred that day.
Asked why GAMLS members were notified 11 days after the breach, Ryan said, “Our first concern was to mitigate the activity and protect our infrastructure from further intrusion, assess the area the criminals accessed, and gauge the effect on our operations. We wanted to fully understand the extent of the breach so we could make an informed statement to our members.”
According to Georgia MLS, its technology team identified the criminal code, immediately replaced the server and restored it back operationally. That affected the MLS’s ability to make agent roster changes for one business day, but no data was lost during the downtime, the MLS said.
Georgia MLS believes the ransomeware strain that struck its server to be called Dharma and has notified the FBI and local authorities, which will be investigating, Ryan said. The MLS is also in the process of working with a forensic cyber security firm, he added.
“A full evaluation is ongoing and we are working with outside cyber security firms to harden our infrastructure,” he said.
Asked whether Georgia MLS was storing subscribers’ passwords in plain text or whether they were encrypted, GAMLS declined to comment. Storing passwords in plain text (meaning exactly as they were typed in) is generally considered bad security practice.
It also does not appear that GAMLS will institute a forced password change as a result of the breach. GAMLS’s notification to members says members will be required to change their password, but its instructions leave agents to make that change at their discretion.
Asked why Georgia MLS will not require a forced password change and whether the MLS had enough staff to cover agent call volume for a forced password change, the MLS declined to comment.
“Georgia MLS takes the role of safe guarding our member’s data in the uppermost regard. Whether it is personal information, or listing data contained in our platforms, we will be vigilant in protecting our members against the attacks of cyber criminals,” Ryan said.
Georgia MLS is not the first MLS to be hacked. On June 11, 2019, MetroList, the largest MLS in Northern California, was hit by a cyberattack and allegedly paid a $10,000 ransom to free itself. MetroList informed its members of the attack the same day it happened.
According to Ryan, Georgia MLS was able to free itself without paying a ransom.
“It was a ransomware attack, but through our recovery protocols no contact was made, nor any money paid out,” he said.
Editor’s note: This story has been updated with an additional comment from Georgia MLS stating the company did not pay a ransom.