Security researcher tells of 'reaching out' to Wellington company after finding data breach

Thursday, 16 July 2020

More than 31,000 images of people’s passports and driver’s licences have been leaked by a Wellington property management company. (File photo)

When a security researcher in Ireland discovered an unsecured database which contained thousands of personal files, he immediately reached out to the company concerned.

More than 31,000 images of people’s passports and driver’s licences had been leaked by Wellington firm LPM Property Management.

The files included expired and active passports from New Zealand and overseas, driver’s licences, evidence of age documents, pictures of applicants and maintenance requests.

Do you think you may have been affected by this breach? Contact newstips@stuff.co.nz.

Speaking to Stuff from Ireland, Jake Dixon of Vadix Solutions, was part of a wider project to analyse critical infrastructure within Ireland.

He said they discovered the breach on May 10 and “immediately reached out to the company” using the contact form on their website. The Office of the Privacy Commissioner was also contacted.

* Police privacy breach underscores the need for stronger privacy laws

* 'Coding error' compromises passports, driver licences in Ministry of Culture and Heritage data breach

“Given the large amount of documents like passports, driver’s licences and birth certificates, we were very concerned we weren’t hearing anything back about this.”

Dixon said they “gave it a few weeks” but were uncertain of what to do, as they had never faced this situation. He then contacted a company they had worked with before which was CyberNews and Amazon to close off the “vulnerability”.

Jake Dixon said he contacted LPM on May 10, but heard nothing back.

Dixon said normally companies were “very quick” to jump on the ‘breach topic’.

Jake Dixon tried to contact LPM Property Management, but heard nothing back.

“Not only is it about saving the reputation and profile of the company, but the information they’re holding is very sensitive and very personal – so it was very unusual that they didn’t get back to us.”

LPM Property Management has been contacted for comment.

The files were accessible to anyone with the URL, which appeared to be owned by LPM Property Management CyberNews reported.

About 31,610 files were in the database – 15 files were not images, CyberNews reported. The database, known as an Amazon Simple Storage Solution (S3) database, was now secure.

LPM Property Management looks after rentals in the Wellington region but works with landlords from around the country.

REINZ chief executive Bindi Norwell says this was another example of why regulation would help support tenants, landlords and property managers. (File photo)

In a statement, the company said it took the protection of its clients’ data “very seriously”.

“That’s why we promptly dealt with this issue once we were made aware of it. The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.

“It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.

“We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow,” the statement said.

On Thursday afternoon, tenants received an email from LPM Property Management, stating its technical contractor discovered the problem on June 10 and it was fixed on June 11.

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said “it is disappointing and surprising that, despite being warned of the breach, it appears they did little to fix the issue”.

“REINZ has been working closely with its members over the last few months as the Privacy Bill has worked its way through Parliament and has kept members abreast of the changes and reminding them of the importance of protecting their customers’ and clients’ personal information.”

As a property management company, it was not required to be a member of REINZ and was currently not a member.

A spokesperson for the Office of the Privacy Commissioner said it had now been notified by LPM Property Management Company. The company had also written to the Commissioner.

Te Tari Taiwhenua/The Department of Internal Affairs (DIA), which provides passports and other services, was not approached about this incident or contacted by any individual affected by it.

DIA had since made contact with the property management company.

People who believed their passport details were compromised did not need to cancel their passports but could contact DIA on 0800 22 50 50 so it could put a flag on people’s passport record.

NZTech chief executive Graeme Muller said this type of incident happened a lot more than expected.

“In cases like this, it’s on the company to let people know there has been a potential breach … if companies do not take this seriously, then we may need to talk about regulation.”

Deputy Director, CERT NZ Declan Ingram said data breaches were easier to avoid than they were to fix.

”We recommend that businesses only collect customer information that they need, and have a clear understanding of why it’s required. It is also extremely important for businesses to develop a response plan in the event that data is compromised.”

CERT NZ’s TIPS FOR DATA BREACHES:

If a data breach has happened to your business here are some steps to take:
Disconnect the compromised system from the internet, but don’t turn it off. If you turn it off, you could lose evidence that will help you work out what happened
Reset the passwords for any compromised account
Be open and transparent with your customers. Notify anyone who could be affected immediately
If personally identifiable information could have been breached, consider notifying the Office of the Privacy Commissioner.
If you’ve been made aware that your data has been lost in a data breach, there a few steps to take straight away:

Steps you can take straight away if you’re aware your data has been lost in a data breach.

Secure the affected account with a new strong password that you haven’t used on any other accounts. The best passwords are long, made up of four or more words.
If the password on a compromised account was used on other accounts, those passwords should also be changed, and all of the new passwords should be different to each other. Consider using a password manager to securely store your passwords.
If your identity documents have been lost in a data breach, talk to the issuing agency straight away for help.
If personal information has been breached, like birthdates, consider whether you have been using this information to secure other accounts, for instance as passwords or answers to security questions. If you have, those passwords and security answers should also be changed.
Get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you’ll have to contact all of them. You can ask to have your credit record corrected if there’s any suspicious activity on it. The Office of the Privacy Commissioner has information on freezing your credit information.