Cyber Incident Victim: Rapattoni Corporation

On or around August 3, 2023, at 10 p.m. Pacific Time, the Rapattoni Corporation, a Southern California-based data services company, experienced a significant cyberattack. The incident was identified as a ransomware attack that targeted the company's infrastructure, which hosts multiple listing services (MLS) for real estate associations across the United States, including in the Bay Area. This attack effectively locked thousands of real estate agents out of their systems, preventing them from adding or updating property information on their respective MLS platforms. The immediate consequence was a widespread outage that froze property information viewable to the public on real estate websites that pull data from these MLSes, severely disrupting agents who manage listings and clients who were actively shopping for homes.

The outage impacted several MLS providers, with the Bay Area Real Estate Information Services (BAREIS) being one of the most significantly affected. BAREIS, a Santa Rosa-based multiple listing service that serves five of the six North Bay counties, found its primary system completely inaccessible following the attack. In the days immediately following the incident, the organization's president and CEO, Karen "KB" Holmgren, communicated that there was no firm estimated time for the return of the MLS system, indicating the severity of the disruption and the complexity of the recovery process. The San Francisco Association of Realtors, which operates another major MLS, was also confirmed to be a victim of this attack, as its servers were similarly taken offline by the ransomware.

In response to the crisis, BAREIS took swift action to establish a temporary electronic workaround system. This system allowed listing agents to submit changes to property listings and enabled other agents to view these updates, providing a minimal level of functionality amidst the ongoing outage. However, this solution was far from perfect; agents were encouraged to directly call listing agents to double-check and verify information, a process that harkened back to pre-digital practices and introduced significant inefficiencies into the real estate transaction process. This manual workaround underscored the critical dependency the modern real estate market has on digital data systems and the profound disruption caused when such systems are compromised.

A key factor that mitigated the potential damage of the attack was the existence of the NorCal MLS Alliance, a Northern California alliance of seven multiple listing services that has been in place for over a decade. This alliance arrangement synchronizes listing information between the member services every fifteen minutes. Consequently, when the ransomware attack took down the servers hosting the BAREIS and San Francisco MLSes, the property data as it existed at the time of the attack was preserved on the systems of the five other alliance members. This synchronization protocol effectively created a distributed backup of crucial real estate data, preventing a total data loss scenario for the affected regions.

One member of this alliance, MetroList Services based in Sacramento with over 23,000 users, was also a customer of Rapattoni Corporation. However, its data center, located in the Sacramento area, remained entirely unaffected by the ransomware incident. According to Dave Howe, CEO of MetroList, Rapattoni staff alerted them to the attack while it was in progress. This timely warning allowed MetroList to sever its data link with the affected servers before the ransomware could spread to its Sacramento infrastructure. This decisive action isolated the breach and protected MetroList's operational integrity. Furthermore, because BAREIS, San Francisco, and MetroList all utilized a similar Rapattoni system architecture, MetroList was able to offer users of the two impacted systems temporary access to view archived listing information. This access was set up for BAREIS by Friday evening, August 5th, providing a crucial stopgap measure for agents relying on historical data.

The financial and operational impact on individual brokerages began to accumulate as the outage extended for several days. Gerrett Snedaker, a broker and partner in Better Homes and Gardens Real Estate|Wine Country Group and Better Homes and Gardens Real Estate|Ming Tree, provided insight into the scale of the disruption. His Sonoma-based operations had added just over 1,000 listings in July, representing an average of roughly 35 new or updated listings per day. The inability to process this volume of transactions through the standard digital channel represented a significant operational hurdle. Snedaker, who also serves as the treasurer on the BAREIS board, noted that the timing of the attack in early August offered a small silver lining, as historically this period is a slower time in the local real estate market. This seasonal slowdown may have lessened the overall impact on monthly activity figures. However, he cautioned that if the outage were to extend further into the following week, more serious issues would likely begin to arise, potentially affecting sales and contractual timelines.

The incident forced the real estate community to revert to more traditional methods of communication and data sharing. Snedaker reflected on the era before interconnected computer listings, when MLSes would regularly send physical books of updated listings to brokerage offices. The current situation necessitated a return to more face-to-face contact between agents to share information and confirm listing details. While this change was seen by some as a potential positive, fostering more personal interaction within the industry, it fundamentally represented a major step backward in efficiency and speed for a sector that has grown entirely dependent on instantaneous digital data exchange. The protracted recovery time indicated that the ransomware attack on Rapattoni's systems was not a simple disruption but a deeply embedded compromise that required extensive remediation efforts. The fact that officials were bracing for the outage to last well into the week following the attack, with no clear restoration timeline days after the initial event, pointed to the severe nature of the ransomware infection and the challenges involved in restoring complex, critical data systems from secure backups or after negotiating with threat actors. The incident highlights the vulnerabilities inherent in centralized data hosting models, where a single point of failure at a service provider like Rapattoni can cascade into a multi-state operational crisis affecting countless businesses and consumers. The reliance on a third-party vendor for such essential operational infrastructure meant that local associations like BAREIS had limited direct control over the resolution process, placing their recovery fortunes in the hands of Rapattoni's internal incident response and cybersecurity teams. The collaborative response from the broader MLS community, exemplified by the NorCal MLS Alliance and the aid provided by MetroList, was a critical component in maintaining some semblance of functionality during the extended outage. This cooperation demonstrated the importance of industry-wide preparedness and mutual aid agreements in building resilience against increasingly common and disruptive cyber threats targeting critical business services.