Cairn Estate and Letting fails to inform tenants of compromised email account.
A series of emails obtained by The Glasgow Guardian appear to show that an email account owned by Cairn Estate and Letting Agency has been compromised, potentially exposing the personal information of numerous tenants. The Glasgow Guardian is aware of at least one tenant that has been defrauded as a result.
The Glasgow Guardian was first alerted to the possibility that an email account belonging to Cairn may have been hacked by a post on the Facebook page "Glasknow 2.0". After contacting the author of the post, The Glasgow Guardian was provided with a number of emails sent between the author and an account operated by Cairn. The emails show the author, a tenant residing in a property managed by Cairn, being directed to send three months worth of rent to a bank account different to that which they had been directed to pay rent to previously.
After paying £1470.15 to the specified account, the tenant was told the following by an employee of Cairn:
“Unfortunately this is a scam and both these bank details you have been provided are incorrect and we believe this to be an act of fraud.”
Despite the fact that it was one of Cairn’s email addresses that was used to perpetrate the fraud, the company denied any liability for the lost funds and continued to pursue the tenant for the full amount of rent owed under their lease. In an email sent to the tenant, an employee of Cairn made it clear that the company would not take responsibility for the incident, stating:
“The email conversation you had with the hacker was done so without our knowledge. The email exchange you had was not with any person within or associated to our business.
“No one from our company asked you to pay money into a different bank account hence there is no liability on our end.”
In the months that followed, Cairn continued to deny any liability for the incident. The dispute was eventually settled when the tenant’s bank successfully recovered the lost funds, allowing them to satisfy Cairn’s demands for payment.
As a letting agency, Cairn is responsible for handling large volumes of personal information regarding its tenants. Despite this, Cairn appears not to have informed any tenants that one of its email addresses was compromised. At the request of The Glasgow Guardian, a tenant contacted the company to ask if they were indeed hacked and, if so, what steps they should take to safeguard their personal information. In response to this query, an employee of Cairn replied:
“Can I ask where you heard this from? We have not been hacked.”
In a follow up phone call, a member of staff reiterated the claim that the account in question had not been compromised and told the tenant that, as such, they need not be concerned about exposure of their personal information.
The Glasgow Guardian is aware of at least one other tenant who, having sent sensitive financial information to Cairn’s compromised email address, was not informed that this information had been potentially been exposed.
The Data Protection Act 2018 obliges businesses to safeguard any personal information that they collect. When it is found that such information has been improperly accessed by a third party, they are required to report this to the Information Commissioner's Office and inform the individuals affected. Companies are required not only to inform affected individuals that data breaches have occurred, but must also outline the possible consequences of them and explain what mitigating steps may be taken. When contacted by The Glasgow Guardian, an employee of Cairn Estate and Letting Agency claimed that the company had submitted a report to the Information Commissioner's Office, fulfilling its legal obligations. The employee declined, however, to comment on the company’s failure to notify tenants of the incident. The employee also declined to explain why the company had issued an explicit denial when queried by a tenant.