16 Jul 2020

LPM breach could have revealed thousands of people's data

4:57 pm on 16 July 2020

A design flaw in a property management firm's website meant potentially thousands of images of private customer information was publicly available.

Two New Zealand passports against a map (file photo)

File photo. Photo: 123RF

The website - hosted by LPM Property Management - showed passports, drivers licenses, and other identity documents, of New Zealanders and other nationalities.

The leak was identified by tech website CyberNews, which said the images could be worth more than $600,000, and be used by hackers for identity theft.

LPM spokesperson Chris Galloway said they took action as soon as they found out about the flaw.

"As soon as they were notified of this, the matter was fixed, and subsequently this month, LPM was advised that the system was now completely robust," he said.

He said there was no unauthorised access of the website while it was active.

While the exact number of how many files were publicly available was not confirmed by LPM, CyberNews said it was over 31,000.

"In the nature of this business, LPM collects personal data to ensure that tenants coming into properties, which they are managing on behalf of landlords, are suitable people to occupy those properties," Galloway said.

"Of course, every effort is made to protect that data, which was a situation where a website design for the company appeared to have an inbuilt flaw that has now been fixed."

CyberNews said initial attempts to get the database secured went unheeded by LPM Property Management. They said a security researcher for Vadix Solutions had tried to reach out to the firm on 10 May, before the website then tried again on 2 June.

LPM's spokesperson said the team at LPM was first contacted on 10 June and by 11 June the issue had been fixed, before an update on 7 July which showed all necessary actions had been completed.

Galloway said the company is now working to find out just how long the data was available for, before it was identified.

They said all the data is now fully protected, and they will be briefing the Privacy Commissioners' Office on the steps that have been taken in response.

Who to take responsibility for the breach?

The blame for the breach is being put down to a design flaw in the website: the data was stored using Amazon Web Services - or AWS - software run by the tech giant, which allows companies to store data in the cloud.

It's a widely used storage system, but computer security researcher at the University of Auckland, Peter Gutmann, said people or companies shouldn't be using it to store sensitive private data.

"Because it is so incredibly difficult to configure securely, it practically guarantees breaches.

"It's fine for storing public data, anything like that, but you either want to be incredibly careful what you put on there, or hire someone who eats, sleeps and breathes AWS and knows exactly how to use it."

He said because it was so easy to configure a database incorrectly using AWS, automated tools set up by hackers were constantly working to identify and then breach those databases - which was what he thought happened here.

However, the head of cyber security firm Cyber Toa, Anthony Grasso, disagreed with Gutmann over where responsibility lay.

"AWS is done by Amazon - they're a multinational company who are very successful, and so their products are at the same level.

"If we're using it inappropriately and we're not securing it properly, then it's not the problem of AWS, it's the person who has been hired to configure it, that's where the issue lies."

He said part of the problem was around a lack of regulation.

"There is no governing body, there is no minimum standard, anyone can call themselves either a cyber security expert or an IT expert - there is no requirement here."

It was the technology companies that needed to take responsibility when it went wrong.

Organiser for advocacy group, Renters United, Aaron Packard, said a regulatory system needed to look at just why the information was collected in the first place.

"It raises the question: Can we trust the property management companies, like LPM, to actually securely look after our private information? Should they be collecting that information?

"That's why we at Renters United advocates strongly that the Property Management industry needs to be regulated."

Get the RNZ app

for ad-free news and current affairs