Skip to Main Content


Housing Associations

Housing associations are not-for-profit organisations that provide affordable housing options for individuals requiring additional financial support. In order to house tenants, the associations require information regarding the individuals’ names, contact details, addresses, and bank details. Importantly, housing associations are increasingly utilising digital channels to manage their operations, which means that this data is stored online. Accordingly, the industry retains a huge volume of confidential information on its online servers, and therefore stands as an attractive target for cybercriminals.

Faint pattern of locks, 1s and 0s on top of hexagons

Challenges for Housing Associations:

The two main cybersecurity challenges facing you as a housing association are protecting your data estates, and keeping your services operational.

Book your FREE demo

Ready to take action? Fill out our form to start the process of protecting your business.

Data Protection

Housing Associations hold a huge volume of personally identifiable tenant information. This includes data pertaining to your tenants’ names, dates of birth, contact details, addresses, and financial records. It is vital for you to ensure that this data remains secure and inaccessible to cyber criminals, because you are under a duty to your tenants to protect their private information; there are various privacy regulations and data protection laws that you must comply with when storing tenant data. In particular, the Data Protection Act 2018 dictates that you must abide by the General Data Protection Regulations (GDPR). The confidential and highly detailed nature of these records means that the consequences of a data breach would be significant for both your organisation and your tenants.

Remaining Operational

Cyber attacks impact regular business operations by slowing down or locking your systems. For housing associations, this could affect your critical services including payment systems, maintenance services, and application processes. In many instances, it can take months for your services to be fully reinstated. As a housing association, it is vital for you to remain operational, because you offer a key service that many individuals across the country rely on; the nature of your work with lower income individuals who struggle to afford housing means that the importance of your services remaining functional is heightened.

Book your FREE demo

Ready to take action? Fill out our form to start the process of protecting your business.

Common Attack Vectors:

Phishing attacks are the most common attack vector for housing associations. These attacks most commonly manifest through malicious emails which are designed to deceive your employees into conducting certain acts. This could involve transferring data and capital to parties they shouldn’t, divulging their login credentials, or downloading malware onto their devices. These acts allow cybercriminals to compromise the wider organisation’s sensitive data and assets.

In August 2021, various London residents were hit by phishing scams after their email addresses were revealed during a cyber attack. The attackers posed as the housing association’s repairs company in an attempt to defraud its residents of money.Read More

Security Awareness Testing

Ransomware attacks are another common attack vector against housing associations. The pathway to infection typically involves deceptive phishing emails or compromised websites. Following the successful download of malicious software onto a company device, hackers will encrypt your company’s data, lock you out of your operating systems, and hold your files hostage until you pay a ransom. In most cases, this will result in your operations being reduced or entirely inhibited for weeks.

The demand for ransom is often heightened by a threat to publish your data on the dark web for failure to comply. The threat of data publication is particularly significant for you as housing associations, because of the volume and nature of data you store. Accordingly, organisations often elect to pay the ransom, which creates an environment that encourages ransomware attacks.

In February 2021, American housing association Cuyahoga Metropolitan Housing was hit by a ransomware attack. This left 700 employees and 55,000 residents without access to the organisation’s website, and information about dozens of employees was released by the hackers.Read More

It is common for housing associations to rely on third party vendors to operate various functions for them, which leave you susceptible to supply chain attacks. These attacks involve cybercriminals infiltrating your network by conducting an attack further down the supply chain on your third party supplier. This presents as an easier attack route for cybercriminals, because third party targets often have less robust cybersecurity defences. These attacks enable hackers to access your data, and disrupt your critical services.

In July 2021, two property service providers ForHousing and Liberty Group were hit by a ransomware attack. This enabled cyber criminals to access the systems of ForViva, the social housing group to which both companies were connected. This resulted in the compromise of the housing association’s sensitive data, and the temporary loss of their systems.Read More

Particular Vulnerabilities:


Have you set aside a sufficient budget to properly protect your assets?

Protecting your sensitive data sets is a priority for all housing associations. However, budgetary restraints within the sector commonly result in weak cybersecurity; as not-for-profit organisations, you often do not have sufficient funds to invest in the necessary software or technical staff to protect your networks. As such, housing associations frequently operate on outdated and poorly maintained security systems. This combination of low budgets and scarce resources culminates in vulnerable data estates which cybercriminals are able to exploit.

New Technologies

Are you embracing new softwares to help you streamline your operations and reduce costs? Perhaps you have started using artificial intelligence, cloud applications, and the Internet of Things to enhance business activity?

Whilst these new technologies are useful for housing associations, they also create vulnerabilities for cybercriminals to exploit. In particular, cloud computing presents a distinct vulnerability for housing associations. Cloud computing involves storing your data and running applications in the cloud, which enables you to streamline your operations. However, if cloud security standards are not properly adhered to, it creates vulnerabilities for cybercriminals to exploit; your surface area for attack is increased, and you become exposed to cloud exploits including hijacking and denial of service attacks.

Third Parties

Does your organisation rely on any third parties to perform various functions for you? Perhaps you engage with agents, landlords, providers, or maintenance staff?

Using third parties increases the size of your organisation’s attack surface, and leaves a greater number of entry points for cyber criminals to exploit. If any of your third party contractors were to be targeted in a cyber attack, your organisation would also be impacted. The breach could result in the loss of tenant data, operational delays, reputational damage, and economic damage. As such, third party vendors act as a vulnerability for housing associations.

Human Error

Are your employees sufficiently trained in recognising and reporting cyber attacks?

Human error stands as a particular vulnerability for housing associations. This involves your employees accidentally exposing confidential information, or making a mistake which allows hackers access to your organisation’s systems. Cybercriminals recognise the prevalence of human error, which constitutes the primary cause of data breaches, and exploit this when targeting their attacks. Therefore, the level of cybersecurity protection you deploy can be made redundant through social engineering bypasses. Housing associations often don’t invest much into the necessary awareness and training courses, which means that human error stands as a particular vulnerability for the sector.

Sound familiar?

Get in touch with our experts to ensure your business is fully protected.

Consequences of a Cyber Attack:

The two main consequences of cyber attacks for housing associations are business interruption and data breaches. These consequences are serious, and cause further difficulties, including:

Fines and Lawsuits:

The nature of the data collected by housing associations means that you must adhere to strict regulatory requirements. These pertain to the way the data is stored, and the assurance that it will remain private. Accordingly, you are under a duty to protect your tenants’ data (GDPR). If you fail to adequately protect this sensitive data, you might face fines from regulatory and auditing authorities, as well as legal repercussions and lawsuits.

In March 2023, a Polish housing association was fined 52,000 PLN for breaching GDPR by failing to inform the relevant parties when their data was leaked in a cyberattack.

Read More

Damage to Reputation:

Cyber attacks will impact your association’s reputation in the marketplace. If you experience a data leak, or are unable to operate your housing services, it will damage consumer confidence in your organisation, and harm your reputation with the national housing regulator.


A data leak could result in identity theft or financial fraud, wherein your employees’ or tenants’ personal information and bank details are used by a fraudster. This could have significant consequences for the affected parties, including financial loss, ruined credit histories, and refused employment opportunities.

Financial Loss:

Cyber attacks result in significant economic loss. If your services are inhibited for an extended period of time, this will result in reduced business operations. Accordingly, financial loss has the opportunity to manifest through the cost of remediation, financial fraud, lawsuits and fines, ransom payments, training programmes, and loss of business.

In June 2022, Clarion was hit by a cyber attack which inhibited its systems for several months. The association claims this resulted in a 6% fall in turnover, and 10% fall in operating surplus.

Read More

Got a question?

Speak to one of our experts to find out if we can help you secure your business.

Faint pattern of 1s and 0s on top of hexagons

Take Action

The potential consequences of a cyber attack within the pharmaceutical industry are substantial. It is crucial for you to partner with cybersecurity specialists to implement strategies and training that protect your data, and prevent attacks from materialising. At a basic level, you should have an understanding of where your data is stored, who has access to it, and what your network entry points are.