Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




200 posts

Master Geek


#272786 16-Jul-2020 03:05
Send private message quote this post

https://cybernews.com/security/new-zealand-property-management-company-leaks-30000-passports-drivers-licenses/

 

"CyberNews received information from reader Jake Dixon, a security researcher with Vadix Solutions, who discovered an unsecured Amazon Simple Storage Solution (S3) database containing more than 31,000 images of users’ passports, driver’s licenses, evidence of age documents, and more. These files are publicly accessible to anyone who has the URL and appears to be owned by the Wellington, New Zealand company LPM Property Management."

 

 

 

(edit: changed title as it wasn't a 'leak')


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
7068 posts

Uber Geek

Trusted
Lifetime subscriber

  #2523893 16-Jul-2020 07:46
Send private message quote this post

Both Vadix and CyberNews attempted to contact LPM Property Management to secure their database. Unfortunately, the company was unresponsive

 

This is probably the worst part, and there needs to be penalties for this kind of thing.


3 posts

Wannabe Geek


  #2523904 16-Jul-2020 08:26
Send private message quote this post

I agree with you. I sent an email about it asking if there is an investigation open to the investigations team for the Office of the Privacy Commissioner.


 
 
 
 


264 posts

Ultimate Geek

Trusted

  #2523960 16-Jul-2020 09:53
Send private message quote this post

Behodar:

 

Both Vadix and CyberNews attempted to contact LPM Property Management to secure their database. Unfortunately, the company was unresponsive

 

This is probably the worst part, and there needs to be penalties for this kind of thing.

 

 

And it gets better...

 

"We attempted to contact LPM Property Management on June 2, after Vadix attempted to contact them on May 10. However, we did not get any response from the company. For that reason, we contacted Amazon Web Services on June 9. They got in contact with the vendor who seems to have refused to fix the issue.

 

After we insisted that this type of data should not be made public, Amazon was finally able to secure the database on July 6.

 

We have not received any comment from LPM Property Management."


956 posts

Ultimate Geek

Trusted
Subscriber

  #2523967 16-Jul-2020 10:07
Send private message quote this post

bener:

 

And it gets better...

 

"We attempted to contact LPM Property Management on June 2, after Vadix attempted to contact them on May 10. However, we did not get any response from the company. For that reason, we contacted Amazon Web Services on June 9. They got in contact with the vendor who seems to have refused to fix the issue.

 

After we insisted that this type of data should not be made public, Amazon was finally able to secure the database on July 6.

 

We have not received any comment from LPM Property Management."

 

 

Wow, that is next level bad. Someone should be taken to court over this level of negligence. Some companies need due-care responsibility of data held beaten in to them it seems.


4753 posts

Uber Geek


  #2523972 16-Jul-2020 10:16
Send private message quote this post

From companies office...

 

LPM PROPERTY MANAGEMENT NEW ZEALAND LIMITED (3027642) Registered
Company number:3027642
NZBN:9429031459501
Incorporation Date:14 Jul 2010
Company Status:Registered
Entity type:NZ Limited Company
Constitution filed:No
AR filing month:June , last filed on 03 Jun 2020
Company addresses:Registered Office
All Accounted For Limited, Ground Floor 271-277 Willis Street, Te Aro, Wellington, 6011 , New Zealand
 Address for service
All Accounted For Limited, Ground Floor 271-277 Willis Street, Te Aro, Wellington, 6011 , New Zealand
 

 

Anyone who knows them should contact them...urgently.

 

 

 

 




200 posts

Master Geek


  #2523998 16-Jul-2020 10:56
Send private message quote this post

I sent an email to Privacy commission, but haven't heard a response.

 

 

 

Interesting they have this on their site about reporting breaches:

 

Mandatory privacy breach reporting

 

Upcoming changes to privacy law will introduce mandatory privacy breach reporting.

 

The law changes are likely to take effect later in 2020. One of the key changes will be the requirement to report privacy breaches that pose a risk of serious harm. 

 

When the law changes are finalised, we will release guidance to help you prepare for the new requirements. 

 

We are currently in the process of developing an online breach tool that will guide you through the reporting process. 

 

https://www.privacy.org.nz/privacy-for-agencies/privacy-breaches/

 

 

 

 


BDFL - Memuneh
67914 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2523999 16-Jul-2020 10:57
Send private message quote this post

The new privacy law that makes reporting and acting on this a mandatory requirement doesn't come into force until December.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


 
 
 
 


14730 posts

Uber Geek

Trusted
Lifetime subscriber

  #2524005 16-Jul-2020 11:07
Send private message quote this post

'She'll be right' strikes again.

 

 

 

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.






BDFL - Memuneh
67914 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2524011 16-Jul-2020 11:18
Send private message quote this post

From here on Stuff:

 

 

In a statement, LPM Property Management said it took the protection of its clients’ data “very seriously”.

 

“That's why we promptly dealt with this issue once we were made aware of it,” the statement said.

 

“The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.

 

“It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.”

 

We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow,” the statement said.

 

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

 





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


1342 posts

Uber Geek


  #2524012 16-Jul-2020 11:21
Send private message quote this post

Geektastic:

 

'She'll be right' strikes again.

 

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.

 

 

Sadly, this is true. A family member has a card with a major retailer and accessing their online portal now gives a security warning because they're still using the now-deprecated and very outdated TLS 1.0. What did their customer service suggest? Use another browser.

 

The same company also sends out e-mails with tracking links to their portal rather than showing the actual URL... bad practice IMO.


4694 posts

Uber Geek

Trusted
Subscriber

  #2524056 16-Jul-2020 11:41
Send private message quote this post

It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. Unfortunately the property rental market in Wellington is so toxic now that prospective tenants have to do what they're told in order to avoid becoming homeless.


403 posts

Ultimate Geek


  #2524110 16-Jul-2020 12:27
Send private message quote this post

freitasm:

 

From here on Stuff:

 

 

In a statement, LPM Property Management said it took the protection of its clients’ data “very seriously”.

 

“That's why we promptly dealt with this issue once we were made aware of it,” the statement said.

 

“The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.

 

“It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.”

 

We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow,” the statement said.

 

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

 

 

 

Isn't this statement patently untrue? I.e. LPM did not infact promptly deal with this issue once they were made aware of it?





Ant  Reformed geek | Referral links: Electric Kiwi  Sharesies  Stake


403 posts

Ultimate Geek


  #2524113 16-Jul-2020 12:31
Send private message quote this post

alasta:

 

It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. Unfortunately the property rental market in Wellington is so toxic now that prospective tenants have to do what they're told in order to avoid becoming homeless.

 

 

Agree that this shouldn't need to happen - sighting proof of identity ought to be sufficient rather than this needing to be retained at all (potentially unsecurely). Unfortunately I also agree with you that our housing/rental market is so toxic that no prospective would dare jeopardise their possibility of renting a property by not toeing the line on this. Wasn't too long ago we had tenants bidding rents above the asking price just to get a place. 

 

In any case if you must verify identity, why not use one of the myriad services that offers this instead of asking for electronic copies. RealMe works very well in my experience, and the NZTA appears to have APIs for verifying drivers license details.





Ant  Reformed geek | Referral links: Electric Kiwi  Sharesies  Stake


3842 posts

Uber Geek

Lifetime subscriber

  #2524116 16-Jul-2020 12:50
Send private message quote this post

 

From https://www.dnc.org.nz/whois/search?domain_name=lpmproperty.co.nz

 

Registrant Name LAMBTON PROPERTY MANAGEMENT LIMITED

 

Registrant Contact Address 271-277 Willis Street, All Accounted For Limited

 

Registrant Contact City Wellington

 

Registrant Contact Postal Code 6011

 

Registrant Contact Country NZ (NEW ZEALAND)

 

Registrant Contact Phone +64 048050599

 

Registrant Contact Email 58c584206cd0848d8a253a37972eb710-8231307@contact.gandi.net    

 

Admin Contact Name Shayne Thurston

 

Admin Contact Address 271-277 Willis Street, All Accounted For Limited

 

Admin Contact City Wellington

 

Admin Contact Postal Code 6011

 

Admin Contact Country NZ (NEW ZEALAND)

 

Admin Contact Phone +64 048050599

 

Admin Contact Email 58c584206cd0848d8a253a37972eb710-8231307@contact.gandi.net    

 

 

[Edit for layout]


3842 posts

Uber Geek

Lifetime subscriber

  #2524118 16-Jul-2020 12:54
Send private message quote this post

From Google:

 

 

Lambton Property Management

 

 

 

 

 

 

Address: 22 Haining Street, Te Aro, Wellington 6011

 

 

 

 


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic




News »

Pre-orders for Huawei MateBook 13 open now
Posted 14-Aug-2020 14:26


Freeview On Demand app launches on Sony Android TVs
Posted 6-Aug-2020 13:35


UFB hits more than one million connections
Posted 6-Aug-2020 09:42


D-Link A/NZ extends COVR Wi-Fi EasyMesh System series with new three-pack
Posted 4-Aug-2020 15:01


New Zealand software Rfider tracks coffee from Colombia all the way to New Zealand businesses
Posted 3-Aug-2020 10:35


Logitech G launches Pro X Wireless gaming headset
Posted 3-Aug-2020 10:21


Sony Alpha 7S III provides supreme imaging performance
Posted 3-Aug-2020 10:11


Sony introduces first CFexpress Type A memory card
Posted 3-Aug-2020 10:05


Marsello acquires Goody consolidating online and in-store marketing position
Posted 30-Jul-2020 16:26


Fonterra first major customer for Microsoft's New Zealand datacentre
Posted 30-Jul-2020 08:07


Everything we learnt at the IBM Cloud Forum 2020
Posted 29-Jul-2020 14:45


Dropbox launches native HelloSign workflow and data residency in Australia
Posted 29-Jul-2020 12:48


Spark launches 5G in Palmerston North
Posted 29-Jul-2020 09:50


Lenovo brings speed and smarter features to new 5G mobile gaming phone
Posted 28-Jul-2020 22:00


Withings raises $60 million to enable bridge between patients and healthcare
Posted 28-Jul-2020 21:51



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.