NZ property management company exposed 30,000 users passports, drivers licenses via unsecured S3 bucket

Forums › Off topic › NZ property management company exposed 30,000 users passports, drivers licenses via unsecured S3 bucket

1 | 2 | 3

5705 posts

Uber Geek
+1 received by user: 3666

Lifetime subscriber

#2524124 16-Jul-2020 13:04

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

Which is perhaps a bit disingenuous, given that the owner of the company appears as an agent on their web site

bener

272 posts

Ultimate Geek
+1 received by user: 26

Trusted

#2524176 16-Jul-2020 15:06

freitasm:

From here on Stuff:

In a statement, LPM Property Management said it took the protection of its clients’ data “very seriously”.

“That's why we promptly dealt with this issue once we were made aware of it,” the statement said.

“The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.

“It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.”

We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow,” the statement said.

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

Interesting that the Stuff article takes them at their word on this, and does not include the original information about Cybernews and Amazon contacting LPM about it, and LPM failing to act.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#2524178 16-Jul-2020 15:14

With a small SME like that likely listened to their IT Provider that said 'watch out for suspect emails to avoid Crypto', I can just see the Email now..

to:info@thatplace

Subject Security Breach

/OMG Red flag.. this might be phishing/

Dear Sir/Madam

I work for Vadix Solutions, A Compliance and Security..

*DELETE*

stuzenz

3 posts

Wannabe Geek
+1 received by user: 16

#2524181 16-Jul-2020 15:25

From here on Stuff:

Interesting that the Stuff article takes them at their word on this, and does not include the original information about Cybernews and Amazon contacting LPM about it, and LPM failing to act.

I agree with you. I sent an email to the tips email address in the article about the same point earlier on - suggesting they did a follow up email due to the conflicting stories. I decided to CC in the privacy commissioners investigation team into the same email for no real reason in particular. It will be interesting to see if a follow up story comes through.

Bung

6733 posts

Uber Geek
+1 received by user: 2926

Subscriber

#2524186 16-Jul-2020 15:30

30,000 records? Is this their current list or every registration they've ever had? How long is it reasonable to keep tenant's data?

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#2524190 16-Jul-2020 15:37

Geektastic:
'She'll be right' strikes again.

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.

There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

stuzenz

3 posts

Wannabe Geek
+1 received by user: 16

#2524202 16-Jul-2020 15:53

There are some things you can not contract yourself out of.

The legal obligation for securing the privacy information that you are the custodian of would still sit with LPM.

Apart from that, it seems the data retention policies or the execution of those policies might also be out of sync when viewed against the rationale for collecting the information. As someone else mentioned, 30,000 records suggests they have a fair amount of privacy data that is not required by the processes to be run on the related accounts - a fair few which I assume are be ex-tenants.

sudo

409 posts

Ultimate Geek
+1 received by user: 117

#2524267 16-Jul-2020 18:15

Got my response from the Privacy Commission .

Thank you for your enquiry about the LPM Property Management privacy breach.

We are only able to accept a complaint from individuals directly impacted by the breach.

If you believe that your information was exposed in the breach please let us know. If you were not directly impacted by the breach, we are not able to investigate a complaint from you as an individual (though we are grateful to you for bringing your concerns to our attention).

We are unable to comment on whether we have received or are investigating any complaints about this matter at this time. If we received a complaint from an affected individual we would assess their concerns as we do any other incoming complaint.

I trust this clarifies the role of our Office in responding to a breach like this, and thank you for your concern.

This is golden ... You can only complain about privacy issue if you are directly affected.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41040

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2524284 16-Jul-2020 18:33

And seeing mandatory notification is not law yet, there's practically no way to find out if you are impacted or not, until identity theft happens.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

frankv

5705 posts

Uber Geek
+1 received by user: 3666

Lifetime subscriber

#2524310 16-Jul-2020 19:56

neb:
Geektastic:
'She'll be right' strikes again.

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.

There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.

It's a few months since I got my AWS certification (Solutions Architect and Developer) and I haven't touched AWS since, but it's not hard to lock down access to an S3 bucket so it's only publicly accessible via a website, which in turn can be secured. So I dispute your characterisation as "profoundly unusable".

LPM's site says it was created by Black Cedar (blackcedar.co.nz). Their site is "Temporarily unavailable"... make of that what you will.

cyril7

9075 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#2524327 16-Jul-2020 20:21

I have a number of SMEs that use S3, as soon as I saw this I rechecked to confirm they were secure, and yes they were as expected as my process does this, was not hard, sounds to me like very poor disipline on behalf of the IT company or site developers.

Cyril

Mighty Ape

Shop now at Mighty Ape (affiliate link).

djtOtago

1181 posts

Uber Geek
+1 received by user: 605

#2524330 16-Jul-2020 20:40

frankv:

.....

LPM's site says it was created by Black Cedar (blackcedar.co.nz). Their site is "Temporarily unavailable"... make of that what you will.

Blackcedar have a very bad server configuration.

https://www.blackcedar.co.nz/ works
https://blackcedar.co.nz/ ERR_CONNECTION_REFUSED
http://blackcedar.co.nz/ 500 error

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#2524376 16-Jul-2020 20:50

neb:
Geektastic:
'She'll be right' strikes again.

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.

There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.

Surely the biggest problem is the person/company that chose to use AWS?

frankv

5705 posts

Uber Geek
+1 received by user: 3666

Lifetime subscriber

#2524382 16-Jul-2020 21:06

Geektastic:
neb:

There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.

Surely the biggest problem is the person/company that chose to use AWS?

No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#2524395 16-Jul-2020 21:33

frankv: No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.

It's the must godawful unusable security interface I've ever seen, and that includes things like RACF and VMS.

To give an example, walk us through the configuration steps required to set up a bucket where Accounts has read/write access, individual employees have read access, and no-one else has any access.

1 | 2 | 3