It was like any other day -- until the broker's assistant said an FBI agent wanted to see him. The conversation was brief. What did the broker know about John Doe, an employee of the contractor, who was running his IT system? Apparently Mr. Doe had disappeared, leaving evidence that he was part of a potentially dangerous identity theft ring. The FBI asked if the broker would cooperate in the investigation or, would they need a court order to look at his security policies, practices, contracts, system logs, audit results, and company records.

He called his lawyer who couldn't imagine how a real estate broker could be "of interest" in a large scale identity theft investigation. Within two hours, a forensic team finds traces of a new virus that had been embedded across the broker's business applications. A file of new listings had been uploaded to the MLS and a communications port opened, exporting all of the broker's customer, financial, and employee information to an offshore web address.

The MLS had broadcasted the infected file everywhere and there are indications that other brokers are similarly affected. Agent websites are being spoofed, asking consumers for credit cards before displaying listings. The virus has been tracked all the way to Realtor.com, regional MLSs, banks, title companies, major newspapers, and advertising sites like AOL and MSN. The FBI and Secret Service are astonished by the reach of real estate information; they have seen many industries that are as interconnected, but none as vulnerable.

Coverage of the widening event leads the local 10 o'clock news, and worried buyers, and sellers begin calling their agents. By comparing customer files with credit bureau records, investigators are able to determine that a harvesting operation has been churning for some time; changing addresses, ordering credit cards, buying merchandise, applying for driver's licenses, and obtaining new social security cards. The breach is estimated to already involve over 200 thousand Americans. The broker's small business is unwittingly the index patient of a growing epidemic.

The next day, the broker's franchise company finds gaps in their financial records, it's almost as if something is eating through them. At MLSs, the same thing is happening to listings and transaction records. Phone calls from hysterical brokers around the country indicate that the entire info-grid of the industry has been contaminated. Later that next day, a malicious payload detonates, the information assets of brokers and MLSs that were not backed up... vanish.

The outcry is a public relations and stock market disaster. Brokers are stunned by the impact of an event that is typically associated with major portals, commercial information companies, and banks. They realize that their open windows made them an inviting target. A class action law suit is initiated. News reports describes all the proven methods that could have deflected, or contained what is becoming the first industry meltdown. Many MLSs were unsuspecting threat multipliers, unaware of security policies, practices, and technologies widely employed by other industries. Firewalls and penetration testing did nothing to prevent an internal attack.

Legislation passes quickly, making brokers subject to the security regulations of financial services firms. The brands of the best known brokers are punch lines for late night comedians, and several prepare to face Sarbanes Oxley 404 prosecution. Only a few MLSs remain in operation. Consumers begin to migrate to FSBO sites that secure their information and are certified by trusted third parties. Membership in real estate associations plummets, leading to consolidation, and a new appreciation of our national dependence on the safe exchange of information.

Jack Horton is Managing Partner of the Secure Content Group, an information security and identity management consulting firm serving financial services, pharmaceuticals and real estate. Contact him at jhorton@securecontentgroup.com.

Published: March 14, 2005

Use of this article without permission is a violation of federal copyright laws.

Jack Horton is Managing Partner of the Secure Content Group, an information strategy consulting firm in Washington D.C. serving financial services, pharmaceuticals, government and real estate. Mr. Horton’s career has included positions as: IBM Director of Market Operations responsible for the company’s business affairs with its largest customer, the U.S. Federal Government. CEO of GetActive Software, the leader in member relationship management software for major non-profit organizations. SVP Market Development for Equifax Secure, responsible for developing a managed public key infrastructure (PKI) service for Equifax the largest U.S credit reporting agency. Senior Principal at Booz·Allen & Hamilton, leading the practice that developed Internet based application services for the chemical, retail and banking industries. Mr. Horton holds a BA in economics from the University of Wisconsin-Madison. He has participated in executive education programs at Harvard University, IBM’s Advanced Management Institute, Brookings Institution, Darden School of Management at the University of Virginia, and the Aspen Institute’s Center for Communications and Society. For more information, you can contact via email at jhorton@securecontentgroup.com or visit his website Secure Content Group.