Personal details of more than 31,000 users of a Wellington property management company have been leaked online.

Vadix Solutions security researcher Jake Dixon told the Herald he discovered an unsecured database in May which contained files related to the clients of LPM Property Management, based in Wellington.

The files included expired and active passports from New Zealand and overseas, drivers' licences, evidence of age documents, pictures of applicants and maintenance requests, he said.

They appeared to be either photos or scans of the documents used for verification purposes for the management company compliance process, Dixon said.

Advertisement

Dixon, who is based in Ireland, said as soon as they discovered the leak on May 10 they contacted the company via its online contact form. They never received a reply.

However, a spokesman for LPM Property Management told the Herald they were not made aware of the unsecured data until June 10, when they were contacted by international technology publication CyberNews.

The issue was "very quickly rectified" by technology contractors by June 11, he said.

He could not confirm if contact had also been made prior.

"We take the protection of our clients' data very seriously.

"That's why we promptly dealt with this issue once we were made aware of it.

"The data is fully protected after our external technical contractor acted to ensure it was safe."

He would not reveal who the company's technology contractor was, but said according to them there was "no evidence at all to suggest any unauthorised access".

Advertisement

The contractor was now investigating how the issue came about.

"It appears that initially a design flaw in the website prepared for us created a problem which was quickly rectified.

"We are now moving at pace to satisfy our clients and ourselves that all necessary steps have been taken to ensure this does not happen again.

"Our review will continue throughout the day. We expect to be in a position to update our clients tomorrow."

Dixon told the Herald he came across the unsecure data while carrying out a security/infrastructure audit on unsecured Amazon Simple Storage Solution (S3) database buckets.

"This is not the first data breach that Vadix has attempted to assist with however this is the first instance where every communication was ignored.

Advertisement

"I find it very irresponsible that a company could be permitted to collect such data but not have controls on to prevent this kind of compromise.

"I would hope that companies who utilize cloud technologies, especially for PPI, would carry out regular reviews on security rules and networking configurations to ensure their clients data is kept private."

Dixon said they also contacted the Privacy Commissioner, however due to the lockdown in New Zealand, their reply was two weeks after initial contact on May 10.

Their reply was that there was nothing they could do to assist, Dixon said.

A spokesman for the Privacy Commissioner told the Herald they had not been notified of the breach.

Anyone who felt their privacy had been breached could make a formal complaint to the Office of the Privacy Commissioner.

Advertisement

Deputy director Declan Ingram for CERT NZ, a government agency which handles cyber security, said due to the "sensitive nature of the reports", they would not confirm or deny involvement with any particular incident.

However, he provided some general advice: "Standard security measures, such as long, strong passwords and two factor authentication are the first step in keeping sensitive data protected.

"In addition, we recommend that businesses consider segmenting their network, including cloud hosted networks.

"As part of this, businesses should identify sensitive information on their systems, and ensure that access to that data is limited only to systems or people that need it.

"By ensuring that all access to sensitive data is controlled, businesses reduce the likelihood of unauthorised access to the data in those systems.

"This protects the business, and its customers, from having sensitive information leaked or stolen."

Advertisement

The Department of Internal Affairs has been approached for further comment.