Connexus Housing was the Winner in the Cyber-Security category at the Housing Technology Awards 2025. Nick Chamberlain and Dan Patch from Connexus Housing about their security nightmare before Christmas.
Cyber security can be an unnerving topic to discuss for even the most vigilant organisations. We all understand what needs to be protected – the data, the people and the services – yet when the threats become real, you ask yourself, “did we do enough and were we really prepared?” This reality struck Connexus Housing on 18 December 2023. What began as a routine morning quickly escalated into a full-scale cyber-security incident, one that would test the whole organisation.
First response
We first became aware of the incident through our automated reporting systems which began sending email alerts and notifications in the early hours of the morning. Our initial priority was to confirm whether the threat was real. This was quickly established when we reviewed our activity logs and saw signs of a breach in our internal network. Despite all of our best efforts and investment in cyber-security training and software, something had got through.
Once we were aware, our team acted quickly, making the critical decision to take Connexus offline. At the same time, a major incident team was being assembled; this included IT personnel and senior colleagues from across Connexus who would make key decisions and respond as the situation evolved. At around midday, our data centres and all other networks were taken offline or isolated to safeguard our information.
We also began working with our insurers and cyber-security experts to help shape our response further, with our early engagement and the intelligence they gave us proving invaluable and giving us confidence in our approach.
The nightmare before Christmas
There is never a good time for a cyber-security incident but the timing couldn’t have been worse, with it being just days before the Christmas break. Our immediate concern was that our systems would be unavailable for our staff delivering an emergency service over the festive period, especially for those customers with complex support needs and vulnerabilities. Any outage would also have a knock-on impact on our data and systems into the new year so, as with our initial response, we needed to act fast.
By 27 December, a full rebuild of our infrastructure had begun. This was a crucial step because we couldn’t trust anything on our existing infrastructure due to the risks of ransomware being present. We also couldn’t simply restore what was lost from backup without 100 per cent confidence that this didn’t present a security risk so we set out to build something better. By 2 January, all of our core systems were rebuilt to meet the latest best practices, with enhanced security and performance.
All in it together
One of the most significant undertakings was the re-imaging of around 400 laptops. This involved rolling out the latest supported version of Windows 11, fully patched and secured, applying Connexus branding and installing all necessary software. Our old way, which was largely manual, wasn’t an option so we developed a new and faster solution offline before fully testing it and recalling all 400 laptops.
By 12 January, every employee had received a newly-imaged laptop, a remarkable feat considering the number of devices and our geography, which covers most of the Welsh borders and beyond. This achievement wouldn’t have been possible without the support of teams outside IT, who handled communications, logistics and an influx of questions from colleagues, allowing IT to focus on the technical aspects of the recovery.
Data recovery – Precision & and planning
On 16 January, our attention shifted from our infrastructure to the data in our systems. Led by our project management office and IT, and supported by nominated colleagues from across all departments who knew the data and the systems, the process was governed by a set of clear principles:
- Core systems were to be restored in a defined sequence, prioritising legal, compliance and financial data.
- Data entry would occur only in designated ‘clean’ systems, managed onsite to prevent contamination.
- Access would be restricted to selected colleagues to maintain data integrity.
- Recovery would be phased: first the week before the incident (10-17 December) then sequential restoration from 18 December onward.
- The rent review process (the first major data-led process of the year) was the starting point, alongside a key goal of finalising our financial accounts by 31 May.
- A dedicated Microsoft Teams channel and intranet tracker would keep everyone informed about live system availability from late January through to early June.
Scrutinising the data
To ensure the accuracy of the data being restored, the IT team created an isolated environment where colleagues could review applications and data from before the incident, focusing most of their efforts on the week before our systems were taken down, when the likelihood for any data loss was at its highest.
This process allowed the manual re-entry of verified data into newly-rebuilt and secure systems. It was a painstaking but necessary step to ensure the integrity of our data and ensure that nothing from the incident was being inadvertently transferred.
A rapid recovery
Despite the scale of the challenge, departments across Connexus supported the recovery with remarkable determination and collaboration.
- Our HR and payroll teams ensured the December payroll was delivered on time despite system outages by using manual records, rebuilding the payroll system by 18 January, with updated pension, sickness and job-role data added for over 500 staff by 28 February.
- Our housing team completed the tenancy updates and rent calculations by 2 February, issuing rent review letters to more than 10,000 tenants by 26 February and finalising our arrears and other important tenancy data by 31 March.
- The asset management team restored our property and project data by 20 February, managed payments through emergency processes and manually recovered or rescheduled all property surveys.
- Our compliance team reverted to hard-copy gas certificates and updated backlog data by 20 February.
- Our customer-services teams restored contact notes, safety awareness alerts and customer updates by 20 February.
- Our development team recovered all data from spreadsheets and shared drives by 1 March.
- Our finance team paid all suppliers before Christmas to avoid hardship, resuming normal payments by 20 February and signed off our audited accounts by 31 May.
A driver for change
As well as being the catalyst for rebuilding our infrastructure and core systems, the cyber-security incident helped accelerate the introduction of new technology at Connexus.
Originally planned as a 12-month project starting in summer 2024, the migration to SharePoint from old file-shares was completed in just eight weeks. By the end of February, all teams were migrated, trained and operating on the new platform, transforming the way we collaborate and share information across the organisation.
Learning the lessons
After the incident in December 2023, we felt it was essential to share our experience to help others in the sector. Since then, we have presented at Housing Technology’s annual conference, the Social Housing Strategy Forum and various security and risk management events, as well as engaging directly with other housing providers to discuss our response and the measures we’ve implemented to strengthen our defences against future threats.
While it’s not an experience we would wish to relive, it demonstrated how teams can come together to turn a crisis into an opportunity. The swift actions and collective efforts of everyone involved ensured we stopped the attack in its tracks, protected our data and rebuilt stronger than before. Importantly it shows that planning and preparation can only take you so far; it takes a collaborative and forward-thinking approach when things to go wrong to come out on top.
Nick Chamberlain is an IT technical security analyst and Dan Patch is a senior IT systems analyst at Connexus Housing. The housing provider was the Winner in the Cyber-Security category at the Housing Technology Awards 2025.
