Cyber Incident Victim: Douglas Elliman

On April 7, 2021, Douglas Elliman Property Management detected suspicious activity on its IT network, prompting an investigation into a potential security breach. The incident compromised systems containing personal information belonging to residents of New York cooperative and condominium buildings managed by the firm, as well as employee data. Within the same month, the company's three managing directors notified hundreds of affiliated property boards via email about the breach and the potential exposure of sensitive information. The internal communication confirmed unauthorized access to the IT infrastructure but did not specify the duration of the threat actor's presence in the network prior to detection. No technical details about the attack vector or methods of intrusion were disclosed in the initial advisory.

The breach placed thousands of New York residents at risk of personal data exposure, though the notification did not enumerate the exact number of affected individuals or specify which data categories were accessed. Douglas Elliman Property Management’s response focused on informing stakeholders through direct communication with building governing boards rather than issuing public statements. The company did not initially disclose whether law enforcement was engaged or whether third-party cybersecurity firms assisted in the investigation. No evidence of data misuse was reported at the time of notification, and the firm did not announce remediation offers such as credit monitoring for impacted parties. The incident highlighted operational vulnerabilities in property management IT systems handling resident and employee information.