There were two incidents concerning New Zealand leaks or breaches in my news feed this morning. One of them caught my attention because the story didn’t seem accurate — and not because the reporters weren’t reporting accurately, but because the entity may not have been fully transparent or accurate about the incident.
First: Mandy Te, Susan Edmunds and Georgia-May Gilbertson report:
When a security researcher in Ireland discovered an unsecured database which contained thousands of personal files, he immediately reached out to the company concerned.
More than 31,000 images of people’s passports and driver’s licences had been leaked by Wellington firm LPM Property Management.
The files included expired and active passports from New Zealand and overseas, driver’s licences, evidence of age documents, pictures of applicants and maintenance requests.
Read more on Stuff.
LPM Property Management issued a statement claiming it takes its clients’ data protection very seriously.
“That’s why we promptly dealt with this issue once we were made aware of it. The data is fully protected after our external technical contractor acted to ensure it was safe. There is no evidence at all to suggest any unauthorised access.
The New Zealand Herald reports that LPM Property Management spokesman Chris Galloway told them that they were not made aware of the unsecured data until June 10, when it was discovered by their own technical contractor. Their own contractor? Seriously?
CyberNews provides a radically different version of their responsiveness and how seriously they took this all. CyberNews reports that a researcher with Vadix Solutions contacted them after getting nowhere with notifying LPM:
We attempted to contact LPM Property Management on June 2, after Vadix attempted to contact them on May 10. However, we did not get any response from the company. For that reason, we contacted Amazon Web Services on June 9. They got in contact with the vendor who seems to have refused to fix the issue.
[….]
Both Vadix and CyberNews attempted to contact LPM Property Management to secure their database. Unfortunately, the company was unresponsive and we had to go through Amazon Web Services to get the issue fixed. The database is now secured.
None of that is consistent with what LPM claimed in its statement to clients.
But it gets even worse.
DataBreaches.net had been contacted by another researcher, not affiliated with Vadix, who had independently found the leaking Amazon bucket and had notified LPM via email on April 29, almost two weeks before Vadix first tried.
Getting no response and thinking that perhaps COVID-19 had delayed the company, he called them on the phone on June 23 after finding that the bucket was still unsecured. He spoke to an employee, and to follow up on the call and at the employee’s request, this researcher, who has requested anonymity, sent the company the url of the exposed bucket and a list of some files that were exposed, noting that the files appeared to have been uploaded in May of 2018.
The fact that the files appeared to have been uploaded in May 2018 does not necessarily mean that the Amazon storage bucket was misconfigured or exposed for all that time, but it’s possible, and only the logs can determine that.
But LPM’s claims about how seriously they take data security is not supported by the reports from two sets of unrelated researchers and one news outlet.
And their claim that no data was accessed is refuted by the fact that this researcher did download their data, and provided this site with proof of that. He claims the archived bucket was more than 7 GB of compressed images, but that there were many duplicates (thumbnails) in the bucket.
How do we explain the contradiction between LPM’s claim that they secured their data and this whitehat researcher finding proof it was still unsecured on June 23? Are all these researchers and news outlets talking about the same bucket, in which case LPM’s claims and public statements are patently false, or did they have more than one bucket that was misconfigured?
Either way, they have some explaining to do.
DataBreaches.net reached out to LPM via their site’s contact form and got an auto-response that somebody will get back to us. When they do, this post will be updated.
Update: LPM provided this site the following statement. I don’t know if they read this post before sending it, but I suspect they didn’t and just responded to my site contact query.
Thanks for your contact. The advice we have from the New Zealand Privacy Commission is they regard this as a data vulnerability, not a data breach. As our business is property management, we rely on contracted technical assistance, including advice on any data security issues. We are advised that our systems are presently robust and secure. To ensure that remains the case going forward we have commissioned an independent audit. That audit is expected to be completed in the coming days.
Chris Galloway, for LPM
Obviously, calling it a vulnerability would have been appropriate if it hadn’t turned into a breach by someone accessing and downloading the data. But at least one party did download the data (they sent a copy to this site as proof). The commissioner’s opinion was based on incomplete information or a false claim by the firm. And the notification to consumers was inaccurate and misleading, too.
The LPM exposure was listed on GreyhatWarfare. We know at least one person found it on there (the researcher who contacted this site). How many other people may have found it there and downloaded it — people who may have been grayhats or blackhats — during the almost two months between when this researcher found it and first notified LPM in April and when it finally got locked down after his June 23 communications with them?
This is obviously not the world’s worst breach. But the firm’s failure to receive notifications and respond promptly to them is a huge problem everywhere. And the firm providing false statements about when it was first notified and whether data were downloaded are also big problems.
DataBreaches.net hopes the Office of the Privacy Commissioner takes a deeper look or second look into this incident. There is a reason to have breach notification laws — to protect consumers. If companies provide inaccurate or false reassurances, the notification does not accomplish what it needs to accomplish.
It appears the Office of the Privacy Commissioner messed this one up too:
https://www.stuff.co.nz/technology/122163011/privacy-commissioner-regrets-error-after-it-was-flagged-to-leak-of-30000-personal-files
I think this might need to be reviewed from higher up.
Oh wow. This tendency of entities to think everything is a phishing attempt or scam is a major problem that we encounter. That the privacy commissioner’s office made that mistake, too, well, it shows us how much awareness training we need to do. Being cautious is one thing. Not investigating at all is something else.