A Wellington property management company says it has no idea for how long nor how many people accessed the private details of tens of thousands of users made available online through a design flaw.
Vadix Solutions security researcher Jake Dixon told the Herald he discovered an unsecured database back in May, which contained files related to the clients of LPM Property Management, based in Wellington.
The files included expired and active passports from New Zealand and overseas, drivers' licences, evidence of age documents, pictures of applicants and maintenance requests, he said.
They appeared to be either photos or scans of the documents used for verification purposes for the management company compliance process, Dixon said.
Dixon, who is based in Ireland, said as soon as he discovered the leak on May 10 he contacted the company via its online contact form, but never received a reply.
However, LPM Property Management spokesman Chris Galloway told the Herald they were not made aware of the unsecured data until June 10, when it was discovered by their own technical contractor.
The issue was "very quickly rectified" by the contractors by June 11, he said.
"The data is fully protected after our external technical contractor acted to ensure it was safe."
He could not confirm if contact had also been made prior, and said there was no record of CyberNews or Vadix trying to contact LPM.
When first contacted on Thursday morning, Galloway said there was "no evidence at all to suggest any unauthorised access".
However, several hours later, following queries from the Herald explaining how tech experts overseas accessed the data to be able to raise the alarm, Galloway confirmed before the fix was applied on June 11, "a couple of tech specialists" were able to view the data.
He has since confirmed those are the only accesses they are aware of, and could not rule out any other access prior to June 11.
"Our advice has been that there has been no unauthorised access since then."
The contractor, who Galloway has refused to name, was now investigating how the issue came about.
"It appears that initially a design flaw in the website prepared for us created a problem, which was quickly rectified.
"We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again."
The data vulnerability was in place for an "unknown period", something that would be the subject of an independent review launched today, he said.
The company had initially not advised tenants about the data exposure because its advice from its IT contractor was that the information had not been accessed. However, this afternoon it issued an advisory to tenants to update them about the situation.
The company also got in touch with the Privacy Commissioner, Galloway said.
Dixon said he came across the unsecure data while carrying out a security/infrastructure audit on unsecured Amazon Simple Storage Solution (S3) database buckets.
He found it "very unusual" the company said the data was secure by June 11, as the files were still public until July 6, when he said Amazon secured the database.
The bucket contained 31,610 files, of which only 15 were not images, and were publicly accessible to anyone who had the URL.
According to international technology media company CyberNews, which broke the story, LPM managed various landlords' property. The images within the database appeared to be either landlords or tenants applying for the service.
CyberNews published blurred images as examples of the breach on its website.
It was unclear if "bad actors" had accessed the information, but it was possible because of the fact it was "extremely easy" to access the files.
Scanned passports and drivers' licences could also be sold on the dark web for between NZ$20 and NZ$30 each respectively, meaning they could collectively be worth well over $600,000.
Dixon said it was not the first data breach he'd attempted to assist with, but it was the first instance in which every communication was ignored.
"I find it very irresponsible that a company could be permitted to collect such data but not have controls on to prevent this kind of compromise.
"I would hope that companies who utilise cloud technologies, especially for PPI, would carry out regular reviews on security rules and networking configurations to ensure their clients' data is kept private."
Dixon said they also contacted the Privacy Commissioner. However, because of the lockdown in New Zealand, its reply was two weeks after initial contact on May 10.
Its reply was that there was nothing it could do to assist, Dixon said.
A spokesman for the Privacy Commissioner told the Herald it had referred Dixon to government agency Cert NZ, which was responsible for cybersecurity.
While there was no obligation for companies to report data vulnerability issues currently, an update to the Privacy Act, due to come into force on December 1, will make it mandatory to report a data breach to the commissioner, and any affected customers, he said.
Security issues and company responsibilities
Online storage from Amazon Web Services and other online providers is cheap.
But technology expert Juha Saarinen says: "It's very common for companies to stuff things into AWS and elsewhere and omit to apply any access controls. A number of security vendors have made it their business to scan for open S3 storage buckets and new ones pop up every week."
Anyone who felt their privacy had been breached could make a formal complaint to the Office of the Privacy Commissioner.
Deputy director Declan Ingram for CERT NZ, a Government agency which handles cyber security, said because of the "sensitive nature of the reports", they would not confirm or deny involvement with any particular incident.
However, he provided some general advice: "Standard security measures, such as long, strong passwords and two factor authentication are the first step in keeping sensitive data protected.
"In addition, we recommend that businesses consider segmenting their network, including cloud-hosted networks.
"As part of this, businesses should identify sensitive information on their systems, and ensure that access to that data is limited only to systems or people that need it.
"By ensuring that all access to sensitive data is controlled, businesses reduce the likelihood of unauthorised access to the data in those systems.
"This protects the business, and its customers, from having sensitive information leaked or stolen."
Real Estate Institute of New Zealand chief executive Bindi Norwell said LMP was not a REINZ member.
REINZ had been working with its members around the importance of protecting customers' and clients' personal information.
It had also been advocating for the property management profession to be regulated to ensure companies complied with relevant legislation.
"This is yet another example of why regulation would help support tenants, property managers and landlords."
The Department of Internal Affairs said the data issue was the responsibility of the private company.