Real Estate and Rental and Leasing

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank You.

Thank you.

You may now close this message and continue to your article.

  • Summary

    Web Applications attacks utilizing stolen credentials are rife in this vertical. Social engineering attacks in which adversaries insert themselves into the property transfer process and attempt to direct fund transfers to attacker-owned bank accounts are also prevalent. Like many other industries, Misconfigurations are impacting this sector.


    37 incidents, 33 with confirmed data disclosure

    Top Patterns 

    Web Application, Everything Else and Miscellaneous Errors represent 88% of data breaches

    Threat Actors 

    External (73%), Internal (27%) (breaches)

    Actor Motives 

    Financial (45%—97%), Convenience/Espionage (0%—40% each), Fear/Fun/Grudge/Ideology/Other/Secondary (0%—21% each) (breaches)

    Data Compromised

    Personal (83%), Internal (43%), Other (43%), Credentials (40%) (breaches)

    Top Controls

    Top Controls: Secure Configuration (CSC 5, CSC 11), Implement a Security Awareness and Training Program (CSC 17), Boundary Defense (CSC 12)

    Data Analysis Notes

    Actor Motives are represented by percentage ranges, as only eight breaches had a known motive. Some charts also do not have enough observations to have their expected value shown.


    There is nothing quite like that feeling of owning your first home. Moving in, enjoying the smell of fresh paint, and reflecting on all the memories you’ll make. Our data for this vertical indicates that cyber criminals are also being allowed to move right in and make themselves at home. Whether they are attending a showing of your data via Web Applications attacks, utilizing social engineering in the Everything Else pattern or simply being asked to drop in by your employees through an assortment of Miscellaneous Errors, they are certainly being made welcome.  As you can see in Figure 95, it is difficult to state conclusively which of these three patters is the statistical leader but we can assert that they are all in the running. 

    Don’t leave the key under the welcome mat

    Although we saw a rather small number of breaches in this sector over the last year, there are some interesting high-level findings to discuss.  As in many other sectors, criminals have been actively leveraging stolen credentials to access users' inboxes and conduct nefarious activities. In fact, across all industries, credential theft is so ubiquitous perhaps it would be more accurate to consider them time shares rather than owned.  Meanwhile, other external actors are relying on social engineering to get the job done. Some of these activities are simply aimed at stealing your data, but in other cases these attacks can be used to tee up a separate assault, as seen in many of the attacks that leverage pretexting.  

  • Figure 95
  • Figure 96 shows how Bad GuysTM 43 exploit the milk of human kindness to dupe well-meaning employees into assisting them to achieve their objectives. They use pretexts to alter someone’s behavior in such a manner that the employee divulges sensitive information, or otherwise unwittingly helps them to commit fraud. One example of this type of social engineering is when the attacker inserts themselves into an email thread regarding the sale or purchase of a new home and convinces the victim organization to transfer funds to attacker-owned bank accounts. It’s worthwhile to make a phone call to confirm details before making this type of significant transaction.

  • You sent that to who?!

    Even though this is the first time we have written an industry section for Real Estate, we have been collecting data on this vertical industry for a number of years. This enables us to analyze how the patterns have evolved over time in this vertical . This year, one of the more interesting findings was the continuity in volume of Errors. These Error-related breaches involve Misconfigurations (forgetting to turn those restrictive permissions on), Misdeliveries (email and/or paper documents sent to the incorrect recipient) and Programming errors (mistakes in code) as seen in Figure (97). These Error actions accounted for 18% of data breaches in the Real Estate vertical. If you do business in this industry we urge you to take time for security awareness training and the implementation of sound policies and procedures.

  • Figure 96
  • Figure 97

43 Surely someone has trademarked this, right?