HomeReal EstatePropTechMRG Data Breach: How to Respond

MRG Data Breach: How to Respond

On September 3, 2021, Metropolitan Realty Group (MRG), an NYC-area affordable housing developer, announced that they had experienced a potential data breach in November 2020, which may have exposed the personal data of tenants, prospective tenants, and others in their systems. Even if you’ve never interacted with MRG, it’s possible you are one of the other 156 million Americans whose personal data was compromised in 2020. Here’s what you need to know to protect yourself.

What is Metropolitan Realty Group?

MRG Building at Great Neck, NY
MRG Building at Great Neck, NY (Photo: Metropolitan Realty Group)

MRG is an established affordable housing developer that owns and manages 24 properties across the Bronx, Brooklyn, Manhattan, Nassau County, and Westchester County. Their portfolio includes 4,200 units of Project-Based Section 8 housing—developments in which private companies receive Housing and Urban Development funding to cover the cost of a percentage of tenants’ rent in exchange for making those units available specifically to individuals and families with low incomes. MRG posts notices in local newspapers when it is accepting applications and maintains a waiting list of prospective tenants. 

What is a data breach?

A data breach occurs when an unauthorized person obtains access to personally identifiable information, like social security numbers, health records, passwords, income information, or credit card numbers. Data breaches can happen in a number of ways: an employee can unknowingly install malware or spyware on a company computer, or open a phishing email, allowing hackers access to a company’s internal systems. More often, cybercriminals will find vulnerabilities in an organization’s servers and hack into those servers to access the data stored there, which seems to be what happened to MRG. 

Many major companies have experienced data breaches, including Yahoo, Marriott, Chase, Home Depot, and The TJX Companies.

What happens to the stolen data? 

Cybercriminals use stolen data mostly for financial gain: they may open up lines of credit in your name, or file fraudulent tax returns in order to get tax refunds. They may sell your information to other criminals. Occasionally, cybercriminals access personal data with the end goal of extorting money from you by threatening to go public with sensitive information: in 2020, a Finnish mental health clinic had digital patient files stolen. Hackers then sent messages to over 25,000 patients threatening to publish their mental health records if they didn’t pay a fee within 24 hours. 

How do I know if my information has been compromised?

While MRG is working to notify specific individuals they believe may have had their information compromised, anyone who has interacted with the organization should take steps to safeguard their accounts and identity. If you’re concerned about your data, email MRG at [email protected] or send a letter to MRG at 60 Cuttermill Road, Suite 200, Great Neck, NY 11021. 

What can I do to protect myself?

Establish good financial and cybersecurity practices. Protecting yourself starts before your data is compromised. You’ll want to start taking the steps below even if you don’t think your information is currently at risk. 

1. Check your bank statements and credit card statements

Check for any unusual or unauthorized activity. Do this monthly. If you find something, call your credit card issuer or bank customer service line immediately to report it. Follow up with a letter explaining the unauthorized activity and referencing your phone call. 

2. Use strong passwords

As a rule of thumb, use passwords that are at least 8 characters in length, and be sure to include symbols, numbers, and letters. Reset your passwords regularly, and don’t use the same password for more than one account. Have difficulty remembering your passwords? Consider using a password manager.  

3. Use two-factor authentication

Two-factor authentication is a process in which you log in with your username and password and then input a code sent to your email, phone, or authenticator app. Use it wherever available. The most secure 2FA is an authenticator app as hackers may be able to gain access to your email or phone number via SIM swapping.

4. Check your credit report regularly.

A credit report is a statement that contains information on all of your current credit accounts, your credit history, collections notices, and public records like bankruptcies or foreclosures. You’re entitled to one free credit report annually from each of the three national credit reporting companies: Experian, Equifax, and TransUnion. You can request your credit reports online at or by calling 1-877-322-8228. You’ll need to provide your name, date of birth, address, and social security number to verify your identity. 

Person inputting credit card info
Photo: Karolina Grabowska from Pexels

What should I do if I think my data has been breached?

Start by following the steps outlined above, then proceed to the steps below.

1. Place an initial fraud alert on your credit file

A fraud alert is a flag on your credit that requires any business issuing credit to you, such as a credit card company or lender, to verify your identity. It’s a free service, and you can place a fraud alert by contacting any one of the three national credit reporting companies: Experian, Equifax, or TransUnion. The fraud alert will automatically be sent to all three organizations. 

2. Consider a credit freeze

Also known as a security freeze, this free service will prevent businesses from checking your credit file and prevents anyone from opening credit in your name until you remove the freeze. (It does not, however, prevent access to your credit report for purposes of employment, tenant screening, or insurance.) Unlike the fraud alert, you must contact Experian, Equifax, or TransUnion separately to place credit freezes. To place a credit freeze you’ll need to provide a police report, investigative report, or complaint to a law enforcement agency about the potential identity theft, as well as identifying information including name, addresses, date of birth, social security number, proof of current address, and photocopy of government-issued identification. 


Data breaches are not going away anytime soon as the arms race between hackers and cyber security is constantly evolving.  The best thing to do is take proactive measures to minimize the damage you may incur if (and when) your data is compromised.  An ounce of prevention is worth a pound of cure.

Leah Reddy is a New York-based writer, video editor, teaching artist, and theatre director/dramaturg with roots on the westside of Cincinnati, Ohio. She’s been lucky enough to teach in all five boroughs of NYC and as a result, spend time in our fantastic city’s lesser-known neighborhoods. An avid runner, foodie, and NYC history buff, she will talk your ear off about her favorite subjects and try to convert you to her level of enthusiasm for the Yiddish Broadway walk of fame, thali, and the fact that Chester Arthur was sworn in as President of the United States in the building that now houses Kalustyan’s. She wants all New Yorkers to be able to enjoy their city and to marvel in the things that surround us all each day.