NZ property management company exposed 30,000 users passports, drivers licenses via unsecured S3 bucket

Forums › Off topic › NZ property management company exposed 30,000 users passports, drivers licenses via unsecured S3 bucket

sudo

409 posts

Ultimate Geek
+1 received by user: 117

#272786 16-Jul-2020 03:05

https://cybernews.com/security/new-zealand-property-management-company-leaks-30000-passports-drivers-licenses/

"CyberNews received information from reader Jake Dixon, a security researcher with Vadix Solutions, who discovered an unsecured Amazon Simple Storage Solution (S3) database containing more than 31,000 images of users’ passports, driver’s licenses, evidence of age documents, and more. These files are publicly accessible to anyone who has the URL and appears to be owned by the Wellington, New Zealand company LPM Property Management."

(edit: changed title as it wasn't a 'leak')

1 | 2 | 3

11089 posts

Uber Geek
+1 received by user: 6069

Trusted

Lifetime subscriber

#2523893 16-Jul-2020 07:46

Both Vadix and CyberNews attempted to contact LPM Property Management to secure their database. Unfortunately, the company was unresponsive

This is probably the worst part, and there needs to be penalties for this kind of thing.

stuzenz

3 posts

Wannabe Geek
+1 received by user: 16

#2523904 16-Jul-2020 08:26

I agree with you. I sent an email about it asking if there is an investigation open to the investigations team for the Office of the Privacy Commissioner.

bener

272 posts

Ultimate Geek
+1 received by user: 26

Trusted

#2523960 16-Jul-2020 09:53

Behodar:

Both Vadix and CyberNews attempted to contact LPM Property Management to secure their database. Unfortunately, the company was unresponsive

This is probably the worst part, and there needs to be penalties for this kind of thing.

And it gets better...

"We attempted to contact LPM Property Management on June 2, after Vadix attempted to contact them on May 10. However, we did not get any response from the company. For that reason, we contacted Amazon Web Services on June 9. They got in contact with the vendor who seems to have refused to fix the issue.

After we insisted that this type of data should not be made public, Amazon was finally able to secure the database on July 6.

We have not received any comment from LPM Property Management."

ShinyChrome

1603 posts

Uber Geek
+1 received by user: 686

ID Verified

Trusted

#2523967 16-Jul-2020 10:07

bener:

And it gets better...

"We attempted to contact LPM Property Management on June 2, after Vadix attempted to contact them on May 10. However, we did not get any response from the company. For that reason, we contacted Amazon Web Services on June 9. They got in contact with the vendor who seems to have refused to fix the issue.

After we insisted that this type of data should not be made public, Amazon was finally able to secure the database on July 6.

We have not received any comment from LPM Property Management."

Wow, that is next level bad. Someone should be taken to court over this level of negligence. Some companies need due-care responsibility of data held beaten in to them it seems.

surfisup1000

5288 posts

Uber Geek
+1 received by user: 2159

#2523972 16-Jul-2020 10:16

From companies office...

LPM PROPERTY MANAGEMENT NEW ZEALAND LIMITED (3027642) Registered
Company number:3027642
NZBN:9429031459501
Incorporation Date:14 Jul 2010
Company Status:Registered
Entity type:NZ Limited Company
Constitution filed:No
AR filing month:June , last filed on 03 Jun 2020
Company addresses:Registered Office
All Accounted For Limited, Ground Floor 271-277 Willis Street, Te Aro, Wellington, 6011 , New Zealand
Address for service
All Accounted For Limited, Ground Floor 271-277 Willis Street, Te Aro, Wellington, 6011 , New Zealand

Anyone who knows them should contact them...urgently.

sudo

409 posts

Ultimate Geek
+1 received by user: 117

#2523998 16-Jul-2020 10:56

I sent an email to Privacy commission, but haven't heard a response.

Interesting they have this on their site about reporting breaches:

Mandatory privacy breach reporting

Upcoming changes to privacy law will introduce mandatory privacy breach reporting.

The law changes are likely to take effect later in 2020. One of the key changes will be the requirement to report privacy breaches that pose a risk of serious harm.

When the law changes are finalised, we will release guidance to help you prepare for the new requirements.

We are currently in the process of developing an online breach tool that will guide you through the reporting process.

https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41024

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2523999 16-Jul-2020 10:57

The new privacy law that makes reporting and acting on this a mandatory requirement doesn't come into force until December.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#2524005 16-Jul-2020 11:07

'She'll be right' strikes again.

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41024

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2524011 16-Jul-2020 11:18

From here on Stuff:

In a statement, LPM Property Management said it took the protection of its clients’ data “very seriously”.

“That's why we promptly dealt with this issue once we were made aware of it,” the statement said.

“The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.

“It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.”

We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow,” the statement said.

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1859

#2524012 16-Jul-2020 11:21

Geektastic:

'She'll be right' strikes again.

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.

Sadly, this is true. A family member has a card with a major retailer and accessing their online portal now gives a security warning because they're still using the now-deprecated and very outdated TLS 1.0. What did their customer service suggest? Use another browser.

The same company also sends out e-mails with tracking links to their portal rather than showing the actual URL... bad practice IMO.

alasta

6888 posts

Uber Geek
+1 received by user: 3362

Trusted

Subscriber

#2524056 16-Jul-2020 11:41

It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. Unfortunately the property rental market in Wellington is so toxic now that prospective tenants have to do what they're told in order to avoid becoming homeless.

AliExpress

Shop now on AliExpress (affiliate link).

antonknee

1133 posts

Uber Geek
+1 received by user: 1145

#2524110 16-Jul-2020 12:27

freitasm:

From here on Stuff:

In a statement, LPM Property Management said it took the protection of its clients’ data “very seriously”.

“That's why we promptly dealt with this issue once we were made aware of it,” the statement said.

“The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.

“It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.”

We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow,” the statement said.

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

Isn't this statement patently untrue? I.e. LPM did not infact promptly deal with this issue once they were made aware of it?

antonknee

1133 posts

Uber Geek
+1 received by user: 1145

#2524113 16-Jul-2020 12:31

alasta:

It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. Unfortunately the property rental market in Wellington is so toxic now that prospective tenants have to do what they're told in order to avoid becoming homeless.

Agree that this shouldn't need to happen - sighting proof of identity ought to be sufficient rather than this needing to be retained at all (potentially unsecurely). Unfortunately I also agree with you that our housing/rental market is so toxic that no prospective would dare jeopardise their possibility of renting a property by not toeing the line on this. Wasn't too long ago we had tenants bidding rents above the asking price just to get a place.

In any case if you must verify identity, why not use one of the myriad services that offers this instead of asking for electronic copies. RealMe works very well in my experience, and the NZTA appears to have APIs for verifying drivers license details.

frankv

5705 posts

Uber Geek
+1 received by user: 3666

Lifetime subscriber

#2524116 16-Jul-2020 12:50

From https://www.dnc.org.nz/whois/search?domain_name=lpmproperty.co.nz

Registrant Name LAMBTON PROPERTY MANAGEMENT LIMITED

Registrant Contact Address 271-277 Willis Street, All Accounted For Limited

Registrant Contact City Wellington

Registrant Contact Postal Code 6011

Registrant Contact Country NZ (NEW ZEALAND)

Registrant Contact Phone +64 048050599

Registrant Contact Email 58c584206cd0848d8a253a37972eb710-8231307@contact.gandi.net

Admin Contact Name Shayne Thurston

Admin Contact Address 271-277 Willis Street, All Accounted For Limited

Admin Contact City Wellington

Admin Contact Postal Code 6011

Admin Contact Country NZ (NEW ZEALAND)

Admin Contact Phone +64 048050599

Admin Contact Email 58c584206cd0848d8a253a37972eb710-8231307@contact.gandi.net

[Edit for layout]

frankv

5705 posts

Uber Geek
+1 received by user: 3666

Lifetime subscriber

#2524118 16-Jul-2020 12:54

From Google:

Lambton Property Management

Address: 22 Haining Street, Te Aro, Wellington 6011

1 | 2 | 3