Condo Chronicles

šŸšØ Why I Asked Sanderson to Delete My Banking Information

By

Dear Neighbours,

Following Sanderson Managementā€™s recent notice about the cybersecurity incident, I reached out to them with a series of very basic – and very reasonable – questions.

What I received in response is exactly why I have decided to request the complete removal of my banking information from their systems.

Let me explain.

ā³ 1. A 7-Month Delay – With No Real Justification

Sanderson confirmed:

  • They knew by December 15, 2025 that sensitive banking information was involved
  • They had already notified the Privacy Commissioner earlier
  • Yet residents were only informed ~7 months later

Their explanation?

ā€œManual review took time.ā€

Thatā€™s not good enough.

When banking information is exposed, time is risk.
Seven months is not a delay – itā€™s a failure.

šŸ” 2. They Refused to Answer Basic Security Questions

I asked simple, standard questions:

  • Was the data encrypted?
  • Was it segregated from other systems?
  • Was multi-factor authentication in place?
  • Were there prior security audits?

Their answer?

ā€œWe will not be disclosing any details pertaining to our IT infrastructure.ā€

Letā€™s be clear:
I was not asking for passwords or system blueprints.

I was asking whether basic, industry-standard protections were in place.

If you canā€™t confirm that data was protected, what exactly are you asking us to trust?

šŸ§Ø 3. This Was a Ransomware Attack

They confirmed this was ransomware.

Hereā€™s what that typically means:

  • Attackers gain access to systems
  • Data is often exfiltrated (copied) before encryption
  • Companies may not even know what was taken

So when they say they ā€œidentified impacted individuals,ā€ that doesnā€™t necessarily mean the data wasnā€™t accessed – it means they think they know.

Thatā€™s not certainty. Thatā€™s damage control.

šŸ“„ 4. No Transparency – Shielded by ā€œPrivilegeā€

I asked if a forensic report could be shared.

Their response:

ā€œProtected by solicitor-client privilege.ā€

Translation:
There is a report – but residents donā€™t get to see it.

So we are expected to:

  • Trust their conclusions
  • Without seeing the facts
  • After a 7-month delay

Thatā€™s not accountability. Thatā€™s opacity.

šŸ’³ 5. Real-World Impact

During the same period:

  • I experienced unauthorized transactions
  • I had to replace my bank card

I am not claiming causation.

But when your financial data is exposed and you later see suspicious activity, the risk is no longer theoretical.

āš–ļø 6. My Conclusion

At the end of the day, this comes down to one simple question:

Do I trust this organization to store my banking information?

Based on:

  • The delay
  • The lack of transparency
  • The refusal to confirm basic safeguards
  • The nature of the attack

My answer is: No.

šŸ›‘ What Iā€™ve Done

I have formally requested that:

  • My banking information be completely removed from their systems
  • No future payments be processed using stored financial data

šŸ¤” What You Should Ask Yourself

  • Are you comfortable not knowing how your data was protected?
  • Are you comfortable with a 7-month delay in notification?
  • Are you comfortable relying on ā€œtrust usā€ after a ransomware breach?

If yes – do nothing.

If not – you may want to take a closer look at your own exposure.

šŸ“¢ Final Thought

Cyber incidents happen, daily. Thatā€™s not the issue.

How organizations respond is the issue.

And in this case, the response raises more questions than it answers.

Discover more from Condo Chronicles

Subscribe to get the latest posts sent to your email.

Discover more from Condo Chronicles

Subscribe now to keep reading and get access to the full archive.

Continue reading