NZ Property Management Company Leaks 30,000 New Zealand, Australian Passports & Driver’s Licenses
CyberNews (CyberNews.com – a cybersecurity news and analysis website) has uncovered an unsecured database belonging to a New Zealand company LPM Property Management.
The unsecured Amazon Simple Storage Solution (S3) database contains more than 31,000 images of users’ passports, driver’s licenses, evidence of age documents, and more. These files are publicly accessible to anyone who has the URL and require no authentication.
This particular bucket seems to host images from LPM’s service. Out of the 31,610 files contained in the database, only 15 files are not images.
The files include:
- Passports, both expired and active, from New Zealand, Australia and abroad
- Drivers licenses with ID numbers, donor statuses, addresses, DOBs, and full names
- Evidence of age documents
- Applicant pictures
- Images of damaged property (labeled “maintenance requests”)
LPM helps manage various landlords’ property. The images within the database (usually filed under “applicants”) appear to be either landlords or tenants applying for this service. Although we reached out to LPM for clarification on this issue, we received no response. By working with Amazon, we were able to help secure the database.
Having this kind of sensitive data available to the public is risky, as bad actors can more easily commit identity theft, including taking out loans or other services in these victims’ names, or simply use the data as part of targeted phishing campaigns. In either case, these victims are losing.
Declan Ingram, Deputy Director for CERT NZ, which monitors ongoing threats and actively publishes advisories related to cybersecurity incidents, provided some advice for businesses:
"An unsecured database can be a huge risk to customers’ privacy and security. In addition to the standard security measures, such as long strong passwords and two factor authentication, we recommend that businesses consider segmenting their network, including cloud hosted networks. As part of this, businesses should identify sensitive information on their systems, and ensure that access to that data is limited only to systems or people that need it.
By ensuring that all networks are segmented to control who can access them, businesses reduce the likelihood of unauthorised access to the data in those systems. This protects the business, and its customers, from having sensitive information leaked or stolen.”
For further details of the discovery and examples of the data discovered, please read the article here.