A charitable housing association has lost almost £1m after falling victim to cyber criminals.
Red Kite Community Housing, a community benefit society that provides social housing in Wycombe, Buckinghamshire, said in a statement that criminals had stolen £932,691 in August.
The organisation said it was unable to give precise details of what happened because of an ongoing police investigation, but criminals had mimicked the domain and email details of contacts that were providing services to Red Kite.
“Through this they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow-up to an existing conversation,” said Mike Gahagan, chair of Red Kite.
“Despite this, we still had an additional safety net in place, a two-stage process to verify changes to payments and accounts that ordinarily would have caught this attempt.”
But an error in this process resulted in a “missed opportunity to shut the door before the money was taken”, according to Gahagan. “This is the part that upsets everyone involved.”
Red Kite said it appeared as if a breach of a system belonging to an external source had enabled criminals to gain access to the information in the first place.
Gahagan said the association had since brought in an “internationally renowned cyber-specialist organisation” to help identify what happened and to find evidence that could be passed to the police.
“We are reassured that our systems were not compromised,” said Gahagan. “However, that does nothing to ease the pain of the situation.
“As such, we have continued to build additional security measures into our IT and to review completely all our processes in relation to payments in order to minimise the chance of a single point of weakness occurring in the future.”
He said staff training in the risks had been strengthened.
“One key lesson is that no matter how good you believe your systems to be the human dimension will always be a potential weakness,” said Gahagan.
“By talking about this openly, we hope that colleagues in the sector reflect on their own systems and take the opportunity to ensure that this doesn’t happen to them.”
Red Kite understands that police are on the trail of the criminals and it is hoped that it might be able to recover the stolen funds.
The association, which manages more than 6,500 homes and has about 140 staff, said its services would not be affected because it had separately been able to renegotiate a financial deal, saving it £1.1m.
The fraud has been reported to the Regulator of Social Housing and resulted in the organisation’s governance rating being downgraded from G1 to G2.