2017 Editor's Note: Since the publishing of this article in April 2015, we are not aware of any waiting list information breaches on WaitListCheck or any other online waiting list provider.
If you have applied to any online Section 8 waiting lists lately, odds are you have used a website called WaitListCheck by HAPPY Software. They power hundreds of housing authority Section 8, public housing and other housing waiting lists.
Earlier this week, the WaitListCheck website went down for several days and HAPPY posted an update saying it had been the victim of an attempted "probe" of their system. In other words, someone tried to hack their system.
HAPPY said in a notice, posted to all housing authority waiting list portals they manage, they "detected an unusual number of attempts to probe our system. Because of this unusual amount of activity, we chose to take our systems off-line so that we could thoroughly scan them. We hired a security consulting firm to conduct an in-depth scan of our systems so we can identify and address any issues."
We reached out to HAPPY yesterday via email with the following questions:
1. When will the waiting list portal be back up?
2. We know that Stamford, CT (Charter Oak Communities) has extended their closing due to the outage. Rockford, Illinois will be opening on Monday, April 6. It is expected that the portal will be back online by then?
3. If someone applied immediately prior to the outage, will they need to reapply once it's back up?
4. On waitlistcheck.com, on 3/30/15 you reported that there was recently a large number of attempts to "probe" your system and go on to say you "hired a security consulting firm to conduct an in-depth scan of our systems so we can identify and address any issues".
Given recent data breaches like Target, Home Depot and others, and the fact that every applicant that uses your system submits their Social Security number and those of their family, our users are very concerned about identity theft and privacy.
Were any of these "probes" successful? Why did you decide to hire an outside consulting firm instead of using in-house data security staff? Has the consulting firm found any thing to be concerned about? Has the consulting firm said you are in the clear? Will you be contacting individual users regarding any possible risks to their privacy? If it is confirmed that a breach did take place, due you have a plan on how to handle applicant privacy and data security?
HAPPY responded to our email saying:
"We expect to post some Frequently Asked Questions on our website in the next few hours. Several of the answers will address your questions."
As of this morning, the HAPPY Software website was still down and we could not find a document addressing these questions.
However, early this morning, the WaitListCheck website (separate from the HAPPY Software site) came back online and seems to be operating normally.
Given all the security breaches by large companies lately like Target, Home Depot and Sony Pictures as well as the recent
Lubbock Texas Housing Authority's publishing of 1,100 Section 8 applicant's social security numbers online, people applying for assistance online should be vigilant when providing personal info.
Almost every Section 8 application (no matter the software vendor) and specifically HAPPY Software's WaitListCheck, requires the submission of a Social Security number for the Head of Household and every member of the household including children.
|
The HAPPY Software Online Section 8 Application requires the housing assistance applicant to provide their Social Security number and that of each family member. |
Given the present risk of a security breach and the fact that HAPPY serves 10,000's of applicants, we decided to take a look at HAPPY's policies on security and user data protection.
We were somewhat surprised by what we found.
In
HAPPY Software's Terms of Use, which all users automatically and expressly agree to when they use the site and complete a housing assistance application through their system, they overtly displace any and all liability for a security breach of their system onto the user of the site which in almost every case is a low income, housing assistance applicant. HAPPY claims it is not "liable for any damages suffered by you...that result from the use of this Web site."
|
Sections 7 and 9 of the HAPPY Software, Inc. (WaitListCheck.com) Terms of Use as published on April 2, 2015 |
The legal language removing any liability from HAPPY is contained in 2 sections: 7. Limitation of Liability and 9. Security.
In Section 7, it says:
Under no circumstances shall HAPPY Software, Inc. be liable for any damages suffered by you, including any incidental, special or consequential damages (such as lost funds, damages for business interruption, or loss of information, programs or other data) that result from the use of this Web site, breach of security associated with the transmission of information through the Internet or inability to access this Web site.
Additionally, in Section 9 it reads:
Data transmitted to and from client Web sites is encrypted for the user's protection. However, the security of information transmitted through the Internet can never be guaranteed. HAPPY Software, Inc. is not responsible for any interception or interruption of any communications through the Internet or for changes to or losses of data.
The most concerning legal language in the Terms of Use is "Under no circumstances shall HAPPY Software, Inc. be liable for any damages suffered by you...that result from the use of this Web site." That is very broad language that seems to imply that HAPPY is not responsible for damages suffered by a housing assistance applicant, even if the loss was due to HAPPY's action or inaction.
Since Affordable Housing Online started tracking Section 8 Housing Choice Voucher waiting list openings in May of 2014, thirty one (31) housing authorities that opened their Section 8 waiting lists have used, or currently use the HAPPY Software's WaitListCheck service.
Housing Authorities That Have Used HAPPY Software's WaitListCheck Service For Section 8 Housing Choice Voucher Waiting List Openings Since May 2014
An unknown number of housing authorities use the software to manage Project-Based Section 8, Public Housing and other housing program waiting lists as well. All applicants to all of these programs are subject to the same Terms of Use document. It is unclear if housing authorities who have contracted with HAPPY Software to manage their housing waiting lists are aware of the limitation of liability in the case of a security breach. We are reaching out to a number of these housing authorities for comment.
One thing is clear. In most cases, WaitListCheck is the only way to apply for this Federal housing assistance program in many major cities. Given these housing programs are Federal programs being administered on behalf of HUD, it is unclear if any specific Federal privacy or data security laws are relevant or would require liability to be placed on a contractor providing an end to end software solution for managing that Federal assistance. We have reached out to HUD's Section 8 Housing Choice Voucher office in Washington, DC for more information on what if any protections Federal regulations (either general privacy/data security or specific HUD Section 8) provide to low income housing assistance applicants in the case of a data breach.
In full disclosure, we operate an online business and serve over 1 million users each month on our websites and Facebook page. We take privacy and data security very seriously. If a breach were to occur (as Sony, Target and Home Depot have demonstrated recently, it can to any company) we would make sure that our users were protected and properly compensated for any losses they incurred as a result of a weakness in our systems or practices, as any company should.
We are big supporters of online housing assistance applications. It streamlines the process for everyone and we wish every housing authority used online applications. We do, however, believe that any party charged with collecting and maintaining applicants personal data should not only take extreme actions to protect that data but be willing to properly compensate persons in the case that personal information is compromised and the person suffers financial consequences.What do you think? Are you willing to provide your family's personal information including Social Security numbers knowing that the party collecting it has already told you they won't accept responsibility if their system's security protocols are inadequate to stop a hack attack?