Cyberattack On Listings Provider Halts US Real Estate Markets

An anonymous reader quotes a report from Ars Technica: Home buyers, sellers, real estate agents, and listing websites throughout the US have been stymied for five days by a cyberattack on a California company that provides a crucial online service used to track home listings. The attack, which commenced last Wednesday, hit Rapottoni, a software and services provider that supplies Multiple Listing Services to regional real estate groups nationwide. Better known as MLS, it provides instant access to data on which homes are coming to the market, purchase offers, and sales of listed homes. MLS has become essential for connecting buyers to sellers and to the agents and listing websites serving them.

"If you're an avid online refresher on any real estate website, you may have noticed a real nosedive in activity the last couple of days," Peg King, a realty agent in California's Sonoma County, wrote in an email newsletter she sent clients on Friday. "Real estate MLS systems across the country have been unusable since Wednesday after a massive cyberattack against major MLS provider, Rapattoni Corporation. This means that real estate markets (like ours!) can't list new homes, change prices, mark homes as pending/contingent/sold, or list open houses."

While Rapattoni has referred to the incident as a cyberattack, it has been widely reported that the event is a ransomware attack, in which criminals gain unauthorized access to a victim's network, encrypt or download crucial data and demand payment in exchange for decrypting the data or promising not to publish it. Rapattoni has so far not said publicly what sort of attack shut it down or other details. Rapattoni has yet to say whether personal information has been compromised. [...] Not all regional listing services are affected because some use data vendors other than Rapattoni. The damage the outage is causing to agents, buyers, renters, and sellers could get worse unless services are restored in the next few days. On Sunday, Rapattoni wrote: "We are continuing to investigate the nature and scope of the cyberattack that has caused a system outage and we are working diligently to get systems restored as soon as possible. All technical resources at our disposal are continuing to work around the clock through the weekend until this matter is resolved. We still do not have an ETA at this time, but we will continue to update you and keep you informed of our efforts."

CPoF

[RitchCraft]

Central point of failure, who could have predicted?

Re:CPoF

[thegarbz]

There's a difference between "predicted" and "cared". How many years has this been in service and operating? How much was lost in this instance. Even now knowing the risk it may be deemed not important enough to decentralise. Not everything is worth spending money on 99.999% uptime.

Here we're talking about houses. They move slowly. Five days +/- isn't much in the grand scheme of things. If you're talking about a credit card processing service it'd be a very different discussion.

Re:

[jhoegl]

Not to us, sure.

But investment groups might be losing money on the daily. Single families trying to sell houses may be losing money as well, since they have to pay utils/taxes until its sold.

There is good and bad in everything, and we may not know and see it all, but its important to recognize that even though firms trying to buy houses in Hawaii that have burned down are hopefully disrupted, there are others who are hurting that might be losing here as well.

Re:

[GrumpySteen]

Won't someone think of the poor investment groups!

Oh, wait, by definition they aren't poor. They have money to invest and they gambled it on real estate.

Re:

[thegarbz]

You're right but ignoring the timeline. The key difference is between a product that comes and goes at the speed of a swiped card, vs one that is placed on a market and sits on a market, sometimes briefly, sometimes for a long time.

5 days +/- isn't an investment loss. It is well below the expected variance of turnover for such slow moving products. If a single family is living or dying on the basis of selling a house TODAY, then they have bigger problems. Today it's the listing not going up, but it could eq

Re:

[aaarrrgggh]

Creating a 5-day backup in a month can actually create a very dramatic impact on the market when your traditional listing time before offer is under 3 weeks and there is maybe a month worth of inventory on the market. I'm not sure it would impact prices by more than 1-2%, but just that is often enough to have a longer term effect.

It was just a matter of time

[fishnuts]

I used to be a senior engineer at an MLS data processing clearinghouse, handling data from over 200 MLSs. It always boggled me how difficult it was to get various MLS orgs to agree on schemas and metadata for their database entries, while at the same time having it _all_ be managed and distributed by one centralized org. I knew this would happen, and I'm kind of amazed it didn't happen earlier. You'd think that with the amount of money exchanging hands for licensing and access to these massive datasets, they'd figure out how to standardize on a schema and access methods that enables (encourages) decentralized and duplicated storage and transactions. Too much is riding this to not have some sort of redundancy in the system (for transactions and edits, not just replicating the data everywhere, like on ReMax, Redfin, Lyon, Zillow, and other real estate services vendors' networks... that's the easy part)
MLS has been used for YEARS and nobody thought to decentralize its transactional features, making a virtual monopoly on the most important functions, and that irked the hell out of me.

Re:

[Firethorn]

Could part of this be due to wanting to have propriatary data to help force customers to keep using real estate agents?

I remember in one state not being able to see the exact addresses for any listed property, forcing you to go to agents, and another giving you the actual addresses so you could, you know, look at the properties.

Given my semi-recent introduction into: Racism, it gets worse the more you look, I could easily see the prior situation being so that real estate agents could "guide" buyers into th

Re:

[muh_freeze_peach]

Tell me you don't know how statistics work without saying it

Re:

[Powercntrl]

Could part of this be due to wanting to have propriatary data to help force customers to keep using real estate agents?

Definitely.

Real estate is a gravy train for all parties involved except the prospective homeowner. And if you ever attempt to sell your "investment", you'll either need to relocate out to BFE or live in your car to realize any actual profit. Everyone needs a place to live though, and rental housing is also a money-sucking shitshow, so it is what it is.

Re:

[pak9rabid]

Could part of this be due to wanting to have propriatary data to help force customers to keep using real estate agents?

This is 100% the reason.

Source: I used to work at a company that developed MLS software and the fucked up associations that used it.

Re:

[rudy_wayne]

I used to be a senior engineer at an MLS data processing clearinghouse, handling data from over 200 MLSs. It always boggled me how difficult it was to get various MLS orgs to agree on schemas and metadata for their database entries,

That's probably all true, but irrelevant. This problem has nothing to do with database schemas. This is a bunch of corrupt, incompetent buffoons who can't be bothered to pay attention to security because it would cut into their profits.

This is happening more and more across all businesses and will continue to get worse until businesses are held accountable and face serious consequences for failing to secure their systems.

Re:

[Anonymous Coward]

This is happening more and more across all businesses and will continue to get worse until businesses are held accountable and face serious consequences for failing to secure their systems.

Here here! So, let's start with the executive staff and their fucking portable tablets and laptops they demand to have all the time. No more portable data. You come to work to work on it. The FUCK do you need social media access for? Riddled with scams and malware. Email is to/from approved domains. Everything is audited 24/7, including the built-in cameras.

If an attack happens, we'll begin the criminal prosecutions. Starting with that moron in charge of cybersecurity. Not that CxOs would ever purp

Re:

[toxonix]

I had access to MLS because some real estate agent gave me her login. It was complete trash and still is. However, when you let software get that old and pervasive, it's nearly impossible to improve it. Look at the GDS systems we use for travel. We might have modern front ends like Expedia and Booking.com and a few hundred others that link into the GDS, but at the back end those links are basically green screen commands going through a virtual terminal. Basically hundreds of different EDI formats that need

Re:

[pak9rabid]

Perhaps you've heard of RETS and RESO [focus-itsolutions.com] ?

Mmmm, one of my favorite meals

[93 Escort Wagon]

Rapattoni and meatballs, with a side of garlic bread - yum!

Tell me

[eneville]

I bet that's a windows setup

Re:

[sinij]

I bet that's a windows setup

It is charming fixer-upper for sure.

Re:

[Zontar_Thing_From_Ve]

I bet that's a windows setup

Based on my decades of IT experience, I would say I'm sure that's right and that everybody who works on it is either based outside the USA in you know where or they are all H-1B workers if they actually have US based workers responsible.