It’s been more than a month since the Clarion Housing Group was hit by a cyber attack, yet IT services remain down and residents say they are being bombarded with phishing scams.
Clarion, which manages 350,000 people in 125,000 homes across the UK, was compromised in June in a suspected malware attack. The housing association said that the incident affected phone lines and other IT systems, and advised residents not to contact Clarion by phone unless they needed an emergency repair.
It added that any email sent to landlords from Friday, 17 June had not been received, although it confirmed that rent and service charge payment systems had not been affected.
Clarion said it was rapidly engaging with partners to fix the situation, but warned that it could take some time to get all systems back online.
Several weeks later and residents are still reporting disruption. Tenants have reportedly been given little information about the attack, and are still unable to request repairs, report anti-social behaviour, enquire about rent or service charges, or receive help with finances.
Tenants are also unable to make phone calls, while online services are inaccessible.
Residents are desperate for help
Following the cyber attack and ongoing disruption, the SHAC (Social Housing Action Campaign) has called for ministers to intervene.
Suzanne Muna, SHAC secretary, said: “We are asking for government to urgently intervene in the governance of Clarion after it shut down most of its services on June 17 2022 following a cyber attack. Services have not yet been restored and the organisation has yet to provide a date for doing so.”
Meanwhile, in an open letter to the newly appointed Minister of State for Levelling Up, Housing and Communities, Marcus Jones, the SHAC wrote: “Clarion had not sufficiently prepared for a major systems outage of this nature. The responsibility for this failing lies ultimately with the board.
“Our members ask that the Minister of State use his powers of office to remove and replace the Clarion board with competent governors in the immediate future, and engage with tenants and residents over the long-term future of the organisation.”
This is not the first time that Clarion has faced criticism. In 2021, MyLondon and ITV investigations uncovered countless stories of housing disrepair, with Clarion tenants living among damp, mould, cockroaches, mice and rats, despite reporting issues to their landlord.
SHAC’s open letter cites the cyber attack as the final straw, with many tenants in agreement.
A Clarion tenant from Wood Green told MyLondon that she supports a reform of Clarion’s board. She said: “Tenants are really genuine, they’re worried about their rent, they don’t want to get into arrears. Most tenants are looking for reassurance. I can clearly say Clarion has not applied reassurance whatsoever.”
She added: “I do think there needs to be an intervention or some sort – Clarion can’t keep getting away with the way they have treated people over the past five to 10 years, they’ve treated tenants badly. I think there should be a very strong fine – there should be something put in place.”
Tenants fear targeted phishing scams
The damage caused by cyber attacks often isn’t limited to the initial disruption. Incidents often result in individuals’ personal data being compromised, which criminal hackers can use to launch secondary attacks.
You will often see breached organisations and cyber security experts warn of phishing attacks – i.e. bogus emails that attempt to trick people into handing over login credentials or downloading malware.
The messages often make use of information that the criminals know about the victim to make their scam seem more believable. In an incident such as the Clarion cyber attack, the criminals might, for example, purport to be the housing association itself and offer an update about the situation.
With residents desperate for any information, they will be more inclined to follow links or provide their personal details.
According to an SHAC poll, 84% of respondents suffered an increase in phishing activity following the cyber attack. In one case, a tenant received 31 phishing messages in three weeks.
Another tenant who reported an increase in phishing emails said: “It’s been a terrible failure, somebody has to take responsibility for it – for any set up like that, the board is responsible – we also need the government to step up and help us out – to take responsibility for it.”
But for Clarion residents to be targeted by phishing, the attackers need email addresses of its residents. The housing association says that no personal information was compromised in the attack.
In an update on its website, Clarion wrote: “We are now confident that our Customer Relationship Management (CRM) system, which is our main store of customer data, was not accessed. We are continuing the investigation into the extent to which data held in other repositories may have been impacted.”
Based on the SHAC’s poll and the evidence supplied by residents themselves, you can forgive anyone for doubting Clarion’s statement. However, while so little is known about the specific nature of the cyber attack, it’s impossible to say how likely it is that personal information was compromised.