In the wake of the latest data breach, where carshare app CityBee has seen 110 000 user account details leaked, we thought it was a good time to remind our users how we protect your data.
At EstateGuru, we take a holistic approach to data protection, meaning that we enforce multiple layers of security.
At the top level, we ensure that all usernames are unique. Your username is also known as your EG Code and does not contain your name or other personal details. In addition, we encourage users to use hard authentication where possible i.e. smart ID, Mobile ID, digital ID etc.
All our user passwords are encrypted and we also offer the possibility to use two-factor authentication for all critical actions like making investments, withdrawing money etc. While this may slow you down slightly and add a bit of complexity, it is definitely worth it for the peace of mind.
You will also have noticed that we notify you about every single account action. This may seem ‘spammy’ to some people, but is a great first-line defence. After all, you will be the first to spot something that you didn’t initiate.
Our team monitors all accounts constantly for user anomalies like abnormal withdrawals or unusual investment patterns and we act promptly when we notice anything suspicious.
Our policies around user and account verification are strict and rigorous and we refuse to take any shortcuts. While we do receive complaints about it being inconvenient, we feel that we would rather protect our users and their funds than take any shortcuts.
All user data like identity documents, bank account details etc are stored separately from the actual account, meaning users do not have access to these documents and information.
Internally, we have a strict access policy to our cloud servers and our back-office user access is extremely limited.
To sum up, we have a five-step security system:
- Onboarding – sign-up and verification
- Using your account – constant notifications when you invest, withdraw, deposit
- Authentification and confirmation of actions
- Technical security measures to protect data
- EG operational security (who has access to data and how do they have it, and what client information do they have access to) & procedures (to avoid leaks)
Differences between EstateGuru and CityBee
In the wake of the CityBee leak, many investors contacted us voicing their concern about something similar happening to the EstateGuru data.
First-off, comparing our security measures to those employed by CityBee is like comparing apples and oranges, but we will endeavour to do so nonetheless.
Bear with us though, as this may get a bit technical.
The CityBee leak happened because the customer database was stored on an unsecured Microsoft Azure blob. The hacker then used a Rapid7 Open Data Forward DNS tool to search the reverse DNS lookup then a directory brute-force attack was used to enumerate directories in the blob, after which the hacker downloaded the files. The major concern is also that the hack apparently occurred in 2018, and CityBee remained unaware until February 2021, when the information was put up for sale.
Our data is not stored in the same way. EstateGuru’s IT assets are stored on completely different services which do not have the same technical vulnerabilities, and we closely follow service providers’ proposed security mechanisms.
The main issue difference is one of data management. Hackers very rarely use technical weaknesses. They target doors left open by bad data management.
The CityBee passwords were protected by an outdated and weak SHA1 algorithm.
Our security systems are constantly reviewed and updated, ensuring that we employ only the most up-to-date measures. As an example, our password hashing system is several points of magnitude more secure than that employed by CityBee.
In the end, it all comes down to human effort though. The most vital part of data security is constant monitoring, which CityBee seems to have not done, and we most certainly do. Early warning systems are in place to catch any potential attack and block it at the source.
We will continue to protect your data and provide you with a secure investing environment.
