Private data exposed in insecure property management site over misunderstanding of cloud

Misunderstandings over the types of data you should put on the cloud and a lack of safeguards in place have potentially exposed the private information of tens of thousands of New Zealanders, according to a tech expert based in Ireland.

Your playlist will load after this ad

Vadix Solutions' Jake Dixon and Daniel Vagg joined Breakfast to discuss the breach. Source: Breakfast

It comes after more than 30,000 files - including passports and driver licences - were discovered through a security flaw on Lambton Property Management (LPM)'s website, with experts estimating the information to be worth $500,000 if it was to be sold on the dark web. 

Vadix Solutions security researcher Jake Dixon told TVNZ1's Breakfast he discovered the breach after investigating whether Ireland's critical infrastructure was being properly maintained back in 2018.

"While we were working through those results, we found that Ireland has quite a large digital landscape in terms of data centres and cloud services, so we decided to expand our search beyond the initial search criteria to these cloud services," Mr Dixon said.

"We originally scoped it within Ireland ... however, due to the journey we took, and the nature of cloud, we found quite a few international 'buckets' that were filled with private information, this one being one of the most concerning due to the volume and type of documents we found." 

Your playlist will load after this ad

Overseas tech experts discovered more than 30,000 files, including passports and driver’s licenses. Source: 1 NEWS

He said there are "quite a few" buckets of information that are sitting unsecured through the cloud, adding that it "very much depends what kind of data you want to host".

"There is a concept that you can host certain files, like JavaScript files or website files - it wouldn't necessarily hold private or personal information," he said. "However, the misunderstanding that this is just another hard drive or this is just another USB key that you shouldn't put any personal information onto.

"There seems to be the misunderstanding within certain industries what types of data you can put on cloud and just what safeguards you have to put around that data." 

read more
Thousands of Kiwis could have had their personal data stolen in property website botch up

Mr Dixon said he has seen the stolen information be used in financial cases, with people attempting to defraud cryptocurrency exchanges, illegitimate subscriptions to utilities and property rentals with forged identities. 

"This, in terms of today's digital age, is a very valuable piece of information to go missing."

The company's co-founder, Daniel Vagg, is now looking for a solution to make information more secure.

"This issue is not uncommon," he said, adding that while some web services have moved to secure information, breaches "could happen and may exist in websites which still haven't adjusted to prevent this from happening." 

He said the company is looking to build a free service in the future to identify similar vulnerabilities and inform the companies involved, as well as an automated service to monitor protected assets and automatically let them know when issues have been resolved.