[BreachExchange] Data leak: More than 30, 000 LPM Property Management clients' personal data available

[Destry Winant]

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12348489

A Wellington property management company says it has no idea for how
long nor how many people accessed the private details of tens of
thousands of users made available online through a design flaw.

Vadix Solutions security researcher Jake Dixon told the Herald he
discovered an unsecured database back in May, which contained files
related to the clients of LPM Property Management, based in
Wellington.

The files included expired and active passports from New Zealand and
overseas, drivers' licences, evidence of age documents, pictures of
applicants and maintenance requests, he said.

They appeared to be either photos or scans of the documents used for
verification purposes for the management company compliance process,
Dixon said.

Dixon, who is based in Ireland, said as soon as he discovered the leak
on May 10 he contacted the company via its online contact form, but
never received a reply.

However, LPM Property Management spokesman Chris Galloway told the
Herald they were not made aware of the unsecured data until June 10,
when it was discovered by their own technical contractor.

Live: 'Others' fingerprints all over this': Police Minister on
National MP Hamish Walker's Covid privacy breach - NZ Herald
Customer raises data breach question as Domino's spammer returns - NZ Herald
Spark warns 21,000 customers that their details are for sale on the
dark web - NZ Herald
Kiwi educators exposed in Ashley Madison data leak - NZ Herald

The issue was "very quickly rectified" by the contractors by June 11, he said.

"The data is fully protected after our external technical contractor
acted to ensure it was safe."

He could not confirm if contact had also been made prior, and said
there was no record of CyberNews or Vadix trying to contact LPM.

When first contacted on Thursday morning, Galloway said there was "no
evidence at all to suggest any unauthorised access".


However, several hours later, following queries from the Herald
explaining how tech experts overseas accessed the data to be able to
raise the alarm, Galloway confirmed before the fix was applied on June
11, "a couple of tech specialists" were able to view the data.

He has since confirmed those are the only accesses they are aware of,
and could not rule out any other access prior to June 11.


"Our advice has been that there has been no unauthorised access since then."

The contractor, who Galloway has refused to name, was now
investigating how the issue came about.

"It appears that initially a design flaw in the website prepared for
us created a problem, which was quickly rectified.

"We are now moving at pace to satisfy our clients and ourselves that
all necessary steps have been taken to ensure this does not happen
again."

The data vulnerability was in place for an "unknown period", something
that would be the subject of an independent review launched today, he
said.

The company had initially not advised tenants about the data exposure
because its advice from its IT contractor was that the information had
not been accessed. However, this afternoon it issued an advisory to
tenants to update them about the situation.

The company also got in touch with the Privacy Commissioner, Galloway said.

Unsecure database

Dixon said he came across the unsecure data while carrying out a
security/infrastructure audit on unsecured Amazon Simple Storage
Solution (S3) database buckets.

He found it "very unusual" the company said the data was secure by
June 11, as the files were still public until July 6, when he said
Amazon secured the database.

The bucket contained 31,610 files, of which only 15 were not images,
and were publicly accessible to anyone who had the URL.

According to international technology media company CyberNews, which
broke the story, LPM managed various landlords' property. The images
within the database appeared to be either landlords or tenants
applying for the service.

CyberNews published blurred images as examples of the breach on its website.

It was unclear if "bad actors" had accessed the information, but it
was possible because of the fact it was "extremely easy" to access the
files.

Scanned passports and drivers' licences could also be sold on the dark
web for between NZ$20 and NZ$30 each respectively, meaning they could
collectively be worth well over $600,000.

Dixon said it was not the first data breach he'd attempted to assist
with, but it was the first instance in which every communication was
ignored.

"I find it very irresponsible that a company could be permitted to
collect such data but not have controls on to prevent this kind of
compromise.

"I would hope that companies who utilise cloud technologies,
especially for PPI, would carry out regular reviews on security rules
and networking configurations to ensure their clients' data is kept
private."

Dixon said they also contacted the Privacy Commissioner. However,
because of the lockdown in New Zealand, its reply was two weeks after
initial contact on May 10.

Its reply was that there was nothing it could do to assist, Dixon said.

A spokesman for the Privacy Commissioner told the Herald it had
referred Dixon to government agency Cert NZ, which was responsible for
cybersecurity.

While there was no obligation for companies to report data
vulnerability issues currently, an update to the Privacy Act, due to
come into force on December 1, will make it mandatory to report a data
breach to the commissioner, and any affected customers, he said.

Security issues and company responsibilities

Online storage from Amazon Web Services and other online providers is cheap.

But technology expert Juha Saarinen says: "It's very common for
companies to stuff things into AWS and elsewhere and omit to apply any
access controls. A number of security vendors have made it their
business to scan for open S3 storage buckets and new ones pop up every
week."

Anyone who felt their privacy had been breached could make a formal
complaint to the Office of the Privacy Commissioner.

Deputy director Declan Ingram for CERT NZ, a Government agency which
handles cyber security, said because of the "sensitive nature of the
reports", they would not confirm or deny involvement with any
particular incident.

However, he provided some general advice: "Standard security measures,
such as long, strong passwords and two factor authentication are the
first step in keeping sensitive data protected.

"In addition, we recommend that businesses consider segmenting their
network, including cloud-hosted networks.

"As part of this, businesses should identify sensitive information on
their systems, and ensure that access to that data is limited only to
systems or people that need it.

"By ensuring that all access to sensitive data is controlled,
businesses reduce the likelihood of unauthorised access to the data in
those systems.

"This protects the business, and its customers, from having sensitive
information leaked or stolen."

Real Estate Institute of New Zealand chief executive Bindi Norwell
said LMP was not a REINZ member.

REINZ had been working with its members around the importance of
protecting customers' and clients' personal information.

It had also been advocating for the property management profession to
be regulated to ensure companies complied with relevant legislation.

"This is yet another example of why regulation would help support
tenants, property managers and landlords."

The Department of Internal Affairs said the data issue was the
responsibility of the private company.