In this week’s bulletin, Charlie looks at the recent cyber incident from Clarion and explains how organisations can recover from a cyber incident.
Next week, I am conducting a cyber exercise for a housing association, and in preparation, I decided to explore the specific impact of a cyber incident on housing associations. When discussing cyber-attacks, the most frequently mentioned event was the Clarion cyber incident that occurred in June 2022. What have I learned so far?
When teaching crisis communication, one crucial consideration is the attitude of key stakeholders before a crisis event. Will they rally around and support the organisation, or does the incident reinforce an existing narrative about the organisation’s dealings with stakeholders and customers? Reading the responses to Clarion’s organisation update posts on Facebook after the incident, each post triggered a barrage of abuse and anger. One particular post by Clarion solicited over 250 comments and replies. From the post, it appears that Clarion had a poor reputation and strained relations with its customers even before the hack, with complaints about the lack of response to issues and repairs, as well as generally poor customer service. In 2021, Clarion was subject to a London and ITV investigation revealing numerous stories of housing disrepair, with tenants living in substandard conditions despite reporting these issues. The cyber incident further fuelled the perception of organisational incompetence, leading to frustration and anger among customers. The key lesson from this event is that if an organisation has a poor reputation before a cyber incident, it should be prepared for a wave of disgruntled and frustrated customers.
Having disgruntled customers is not unique to the housing industry, but incidents affecting housing have unique elements. The provision of housing plays a significant role in people’s lives, as issues such as a broken window or loss of heating directly impact individuals, their families and their quality of life. Unlike other goods or service providers, switching housing providers is not easily done. Permission from the housing association is required to move out, and if residents undertake repairs themselves, they cannot reclaim the costs. This lack of flexibility exacerbates the impact of poor service.
Poor communication after the cyber incident intensified resident anger, leading to the Social Housing Action Campaign (SHAC) calling for government intervention due to the inadequate response. Crisis communications are challenging even in the best of times, but dealing with a cyber-attack further limits available communication channels. In Clarion’s case, the cyber-attack affected their telephony system, leaving only a single emergency number as the main means of interaction. After a few days, live chat and Facebook were suggested alternatives. I suspect another difficulty could have been that many of the residents in Clarion’s houses may have been elderly or not that tech savvy. If residents are accustomed to using the telephone to contact the organisation, adapting to alternative means may pose difficulties. The lesson here is to carefully plan how communication will be conducted during system outages and ensure that alternatives are suitable and accessible, especially for elderly or technologically unfamiliar individuals.
Clarion’s delayed admission of a cyber-attack raised concerns, particularly as they had earlier instructed residents to contact them only in emergencies. The cause of the five-day delay, whether it stemmed from slow communication processes or an attempt to conceal the incident, remains ambiguous. Nevertheless, such a prolonged acknowledgement period indicates poor incident management.
Examining Figure 1, a depiction of communications on Clarion’s Facebook, reveals that Clarion acknowledged on the 28th of June, 11 days after the incident commenced, that it would take ‘some time to bring our systems back online’. Notably, an apology video and update from their Chief Customer Officer only emerged on the 16th of August, a month after the incident unfolded. The chronology of these events implies a reactive, rather than proactive, communication strategy. An article by Cyber Security Awareness in August 2022 criticised Clarion’s response for its tardiness and inadequate comprehension of the breach’s severity and impact. This underscores the vital need to seize control of the narrative and adopt a proactive stance in crisis communications.
Housing associations, being custodians of residents’ personal data, possess information that holds significant value for scammers. If this data is illicitly accessed, it becomes a valuable resource for those seeking to defraud residents. Armed with contact details and insights into individuals’ recent transactions, scammers can impersonate officials from the housing association, attempting to extract sensitive information such as bank account or credit card details. Despite Clarion’s assurance that no data was lost, the Social Housing Action Campaign (SHAC) reported a surge in phishing activity among residents. Whether this increase stems from heightened awareness or actual phishing attempts remains unclear. In response, housing associations must promptly communicate if there is a potential loss of data, advising residents on precautionary measures to safeguard themselves from potential scams.
The last mention of the incident on Facebook was on the 15th of November, stating that Clarion accounts balances are now correct. However, it is unclear if issues persist beyond this date. Cyber incidents across industries take time to resolve, and Clarion’s case is no exception.
Many of the challenges faced by Clarion in their response were typical of a cyber-attack, but certain elements are unique to housing. Housing issues have an immediate and larger impact on people’s lives than other products or services, making a cyber incident affecting service to residents more impactful. As many housing association residents may be vulnerable, elderly, or not tech-savvy, any changes to contacting the organisation must consider these factors. Since housing is an emotive issue, communication is crucial in successfully managing an incident. Delayed, incomplete, or reactive communications can significantly impact and anger residents. Finally, if information held by housing associations is lost, scammers may exploit this. In their response, housing associations must communicate early if there is a potential loss of data and advise residents on precautions. These factors underscore the importance of preparation for housing associations to successfully manage a cyber incident.