Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
3828 posts

Uber Geek

Lifetime subscriber

  #2524124 16-Jul-2020 13:04
Send private message quote this post

 

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

 

 

Which is perhaps a bit disingenuous, given that the owner of the company appears as an agent on their web site

 

 


264 posts

Ultimate Geek

Trusted

  #2524176 16-Jul-2020 15:06
Send private message quote this post

freitasm:

 

From here on Stuff:

 

 

In a statement, LPM Property Management said it took the protection of its clients’ data “very seriously”.

 

“That's why we promptly dealt with this issue once we were made aware of it,” the statement said.

 

“The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.

 

“It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.”

 

We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again. Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow,” the statement said.

 

Real Estate Institute of New Zealand’s (REINZ) chief executive Bindi Norwell said the company at the centre of the breach was not a member.

 

 

 

Interesting that the Stuff article takes them at their word on this, and does not include the original information about Cybernews and Amazon contacting LPM about it, and LPM failing to act.


 
 
 
 


4046 posts

Uber Geek


  #2524178 16-Jul-2020 15:14
Send private message quote this post

With a small SME like that likely listened to their IT Provider that said 'watch out for suspect emails to avoid Crypto', I can just see the Email now..

 

to:info@thatplace

 

Subject Security Breach

 

/OMG Red flag.. this might be phishing/

 

Dear Sir/Madam

 

I work for Vadix Solutions, A Compliance and Security..

 

*DELETE*

 

 


3 posts

Wannabe Geek


  #2524181 16-Jul-2020 15:25
Send private message quote this post

 

 

From here on Stuff:

 

--

 

Interesting that the Stuff article takes them at their word on this, and does not include the original information about Cybernews and Amazon contacting LPM about it, and LPM failing to act.

 

--

 

I agree with you. I sent an email to the tips email address in the article about the same point earlier on - suggesting they did a follow up email due to the conflicting stories. I decided to CC in the privacy commissioners investigation team into the same email for no real reason in particular. It will be interesting to see if a follow up story comes through.


3370 posts

Uber Geek

Subscriber

  #2524186 16-Jul-2020 15:30
Send private message quote this post

30,000 records? Is this their current list or every registration they've ever had? How long is it reasonable to keep tenant's data?

neb

2578 posts

Uber Geek

Trusted
Lifetime subscriber

  #2524190 16-Jul-2020 15:37
Send private message quote this post

Geektastic:

'She'll be right' strikes again.

 

 

 

Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.

 

 

There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.

3 posts

Wannabe Geek


  #2524202 16-Jul-2020 15:53
Send private message quote this post

 

 

There are some things you can not contract yourself out of.

 

The legal obligation for securing the privacy information that you are the custodian of would still sit with LPM.

 

Apart from that, it seems the data retention policies or the execution of those policies might also be out of sync when viewed against the rationale for collecting the information. As someone else mentioned, 30,000 records suggests they have a fair amount of privacy data that is not required by the processes to be run on the related accounts - a fair few which I assume are be ex-tenants.

 

 


 
 
 
 




198 posts

Master Geek


  #2524267 16-Jul-2020 18:15
Send private message quote this post

Got my response from the Privacy Commission .

 

Thank you for your enquiry about the LPM Property Management privacy breach.

 

We are only able to accept a complaint from individuals directly impacted by the breach.

 

If you believe that your information was exposed in the breach please let us know. If you were not directly impacted by the breach, we are not able to investigate a complaint from you as an individual (though we are grateful to you for bringing your concerns to our attention).  

 

We are unable to comment on whether we have received or are investigating any complaints about this matter at this time. If we received a complaint from an affected individual we would assess their concerns as we do any other incoming complaint.

 

I trust this clarifies the role of our Office in responding to a breach like this, and thank you for your concern.

 

 

 

This is golden ... You can only complain about privacy issue if you are directly affected.


BDFL - Memuneh
67791 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2524284 16-Jul-2020 18:33
Send private message quote this post

And seeing mandatory notification is not law yet, there's practically no way to find out if you are impacted or not, until identity theft happens.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


3828 posts

Uber Geek

Lifetime subscriber

  #2524310 16-Jul-2020 19:56
Send private message quote this post

neb:
Geektastic:

'She'll be right' strikes again.


 


Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.



There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.


It's a few months since I got my AWS certification (Solutions Architect and Developer) and I haven't touched AWS since, but it's not hard to lock down access to an S3 bucket so it's only publicly accessible via a website, which in turn can be secured. So I dispute your characterisation as "profoundly unusable".

LPM's site says it was created by Black Cedar (blackcedar.co.nz). Their site is "Temporarily unavailable"... make of that what you will.

7664 posts

Uber Geek

Trusted
Subscriber

  #2524327 16-Jul-2020 20:21
Send private message quote this post

I have a number of SMEs that use S3, as soon as I saw this I rechecked to confirm they were secure, and yes they were as expected as my process does this, was not hard, sounds to me like very poor disipline on behalf of the IT company or site developers.

 

Cyril


648 posts

Ultimate Geek

Subscriber

  #2524330 16-Jul-2020 20:40
Send private message quote this post

frankv:

 

.....

 

LPM's site says it was created by Black Cedar (blackcedar.co.nz). Their site is "Temporarily unavailable"... make of that what you will.

 

Blackcedar have a very bad server configuration.

 

https://www.blackcedar.co.nz/ works 
https://blackcedar.co.nz/ ERR_CONNECTION_REFUSED
http://blackcedar.co.nz/ 500 error


14696 posts

Uber Geek

Trusted
Lifetime subscriber

  #2524376 16-Jul-2020 20:50
Send private message quote this post

neb:
Geektastic:

'She'll be right' strikes again.


 


Sadly, many New Zealand businesses are riddled with a lack of attention to detail in my experience.



There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.


Surely the biggest problem is the person/company that chose to use AWS?





3828 posts

Uber Geek

Lifetime subscriber

  #2524382 16-Jul-2020 21:06
Send private message quote this post

Geektastic:
neb:

There's actually multiple parties at fault, and one not at fault. The business itself outsourced it to an IT company so they're not really at fault. The IT company screwed up the AWS config so it wasn't secure. But the biggest problem is AWS, which has security mechanisms on their cloud stuff so profoundly unusable that breaches are pretty much guaranteed.


Surely the biggest problem is the person/company that chose to use AWS?


No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.


neb

2578 posts

Uber Geek

Trusted
Lifetime subscriber

  #2524395 16-Jul-2020 21:33
Send private message quote this post

frankv: No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.

 

 

It's the must godawful unusable security interface I've ever seen, and that includes things like RACF and VMS.

 

 

To give an example, walk us through the configuration steps required to set up a bucket where Accounts has read/write access, individual employees have read access, and no-one else has any access.

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic




News »

Freeview On Demand app launches on Sony Android TVs
Posted 6-Aug-2020 13:35


UFB hits more than one million connections
Posted 6-Aug-2020 09:42


D-Link A/NZ extends COVR Wi-Fi EasyMesh System series with new three-pack
Posted 4-Aug-2020 15:01


New Zealand software Rfider tracks coffee from Colombia all the way to New Zealand businesses
Posted 3-Aug-2020 10:35


Logitech G launches Pro X Wireless gaming headset
Posted 3-Aug-2020 10:21


Sony Alpha 7S III provides supreme imaging performance
Posted 3-Aug-2020 10:11


Sony introduces first CFexpress Type A memory card
Posted 3-Aug-2020 10:05


Marsello acquires Goody consolidating online and in-store marketing position
Posted 30-Jul-2020 16:26


Fonterra first major customer for Microsoft's New Zealand datacentre
Posted 30-Jul-2020 08:07


Everything we learnt at the IBM Cloud Forum 2020
Posted 29-Jul-2020 14:45


Dropbox launches native HelloSign workflow and data residency in Australia
Posted 29-Jul-2020 12:48


Spark launches 5G in Palmerston North
Posted 29-Jul-2020 09:50


Lenovo brings speed and smarter features to new 5G mobile gaming phone
Posted 28-Jul-2020 22:00


Withings raises $60 million to enable bridge between patients and healthcare
Posted 28-Jul-2020 21:51


QNAP integrates Catalyst Cloud Object Storage into Hybrid Backup solution
Posted 28-Jul-2020 21:40



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.