The website was initially shut down on New Year's Day after the breach was uncovered but is now back online again. Photo: Screenshot
People who have had their personal information stolen from the Stuff-owned Neighbourly platform could be vulnerable to online threats, a cyber security expert says.
Neighbourly has lost names, email address, private messages, posts and GPS locations which have been put up for sale on the dark web.
The website was initially shut down on New Year's Day after the breach was uncovered but is now back online again.
Neighbourly has told members it will look to get a court injunction, but it is satisfied the breach was quickly contained.
It surfaced around the same time of another major breach with privately-owned Manage My Health, which more than 120,000 patient files compromised.
"The most concerning thing about the Neighbourly one is that there is GPS information in there, which I assume is people's homes," Patrick Sharp, general manager at Aura Information Security told RNZ.
"So that, correlated with other information that's out on the internet might provide some kind of attack opportunity for an attacker."
Sharp said the taking of the information was "absolutely" a concern.
"After the Medibank breach in Australia in 2022 there were tens, or maybe hundreds of thousands of actual financial crimes that resulted from the information stolen in that breach... so this is probably the beginning," he said.
"Bear in mind as well that the people who are impacted by the ManageMyHealth breach and the Neighbourly breach are potentially people who are quite vulnerable and don't understand how to protect themselves.
"So if a member of your family, an elderly person in your family, or anything like that tells you that they're affected then you should probably help them try to understand or vet any kinds of unsolicited contact they get from anyone as well," Sharp said.
"I think more than anything they need to be suspicious, and if someone calls you out of the blue or you get an email which you're not expecting, you should just be very, very suspicious about it."
Sharp said cyber attacks rise toward the end of the year, and websites or platforms growing in size an expose vulnerabilities.
"The reality is that websites are very complex systems and they go through a lot of change as they update new features and so on, and so when they do that, the possibilities of introducing new vulnerabilities into those websites is very, very possible," Sharp said.
"And so unless they maintain a high degree of security during the development process and the update process, those vulnerabilities can be quite impactful," he said.
"In practice one it's out there, it's out there," Sharp said.
Neighbourly earlier said it took its data privacy responsibilities seriously and had contacted members directly.
On its website, it promotes itself with the tag line "your personal information is safe".
Lives could be put at risk
Gorilla Technology chief executive Paul Spain said the Neighbourly data breach was "really significant".
"There's a large amount of data involved and it impacts somewhere between 800,000 and one million people potentially," he said.
"The size of the breach suggests that it is certainly a possibility for a large percentage of those people who have their data taken."
Spain also said the taking of GPS co-ordinates was a concern and would be concerning for some people.
"I guess the reality is when there's this many people impacted then probably most folks won't directly be impacted, but you just don't know whether you're going to get targeted with some sort of a scam where they know some personal information and they are able to take advantage of you," he said.
"And if that ends up leaking out on the dark web and becomes available to anybody that could actually put, in some cases, put people's lives at risk."
He said a court injunction would be to stop people who are New Zealand-based from referencing the information.
"Because once it's available out there, of course, anybody can get it and so you could just do a court injunction that says 'hey, this is private information and shouldn't be published through through legitimate platforms'," he said.
"But it's still available unfortunately to anyone that chooses to pay for it or retrieve the portions of it that might be leaked for free."
Spain described the Neighbourly breach as a wake-up call.
"And unfortunately we seem to have, I think, a kind of 'she'll be right, mate' attitude to cyber security in New Zealand for a lot of organisations, and it's surprising, you know, how many organisations don't get regular cyber security audits carried out or have a good level of clarity around where their risks are and what they can do to reduce those risks.
"You know, an organisation of the scale of stuff.co.nz who own Neighbourly, they should be at the scale to make sure that they're keeping on top of these things."
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
