Locked Out: Vendor Breach Disables Smart Access for Thousands

The Challenge

In February 2025, a major cybersecurity incident hit ClearAccess Technologies, a third-party provider of smart lock systems for residential buildings. The company suffered a ransomware attack that encrypted its administrative servers and blocked remote access to thousands of smart locks. Waypoint Realty, a large property management firm with over fifteen high-rise residential buildings using ClearAccess systems, was immediately impacted.

Tenants lost access to essential services such as main entrances, gyms, storage areas, and parcel rooms. Although manual overrides existed, the response was slow and disorganized due to outdated contact lists and an untested emergency procedure. Several residents were locked out for over forty-eight hours, leading to complaints, social media backlash, and coverage by local news outlets.

The post-incident review revealed several key issues. The vendor agreement lacked language around incident response timelines, breach notifications, and infrastructure resilience. Waypoint Realty had not requested or reviewed the vendor’s cybersecurity certifications and had no visibility into ClearAccess’s disaster recovery capabilities. Additionally, Waypoint had not conducted any simulations or continuity drills to prepare for system-wide access failures.

The result was not only a temporary disruption in building operations but a significant reputational risk. Tenants questioned the reliability of the building’s smart features, and several prospective renters cited the incident as a reason for pausing their applications. The real estate firm was left scrambling to restore confidence.

Our Solution

We were engaged to lead both the recovery operation and long-term vendor security planning. First, we coordinated with ClearAccess to restore essential access functionality within seventy-two hours. We helped develop a temporary manual access protocol and trained on-site staff in rapid response procedures. Then, we conducted a full contract review and introduced a structured vendor risk management framework.

All vendor agreements were updated to include mandatory cybersecurity standards, third-party audit requirements, breach notification timelines, and business continuity protocols. Internally, Waypoint implemented fallback access systems using independent infrastructure and scheduled quarterly continuity simulations.

The Value

Tenant confidence was gradually restored as communication became more transparent and new protections were implemented. The firm’s operational resilience became a differentiator in leasing negotiations. Waypoint’s leadership also gained greater control over its digital infrastructure through enforceable standards and proactive vendor management.

Implementation Roadmap

1. Review and revise all vendor contracts to include cybersecurity obligations

2. Implement manual fallback systems for critical access infrastructure

3. Establish clear tenant communication plans for digital outages

4. Require vendor certifications and third-party audits

5. Schedule joint incident simulations with all critical service providers

Info Sheet

(Story 5 text included above in the compiled stories)

Info Sheet

Industry Sector: Real Estate and Rental and Leasing

Applicable Legislation:

  • PIPEDA
  • Canadian Cybersecurity Risk Management Framework

Necessary Action Type: Vendor Security Assurance and Business Continuity Planning

Steps to Be Taken:

  • Conduct due diligence on vendor backup and recovery systems
  • Add breach response and insurance coverage to contracts
  • Introduce operational fallback protocols for critical services
  • Coordinate joint tabletop exercises for vendor disruptions
  • Mandate incident notification and data segregation clauses

Involved Third Parties:

  • Smart access control vendor
  • Cybersecurity crisis response firm
  • Building operations team