Misunderstandings over the types of data you should put on the cloud and a lack of safeguards in place have potentially exposed the private information of tens of thousands of New Zealanders, according to a tech expert based in Ireland.
It comes after more than 30,000 files - including passports and driver licences - were discovered through a security flaw on Lambton Property Management (LPM)'s website, with experts estimating the information to be worth $500,000 if it was to be sold on the dark web.
Vadix Solutions security researcher Jake Dixon told TVNZ1's Breakfast he discovered the breach after investigating whether Ireland's critical infrastructure was being properly maintained back in 2018.
"While we were working through those results, we found that Ireland has quite a large digital landscape in terms of data centres and cloud services, so we decided to expand our search beyond the initial search criteria to these cloud services," Mr Dixon said.
"We originally scoped it within Ireland ... however, due to the journey we took, and the nature of cloud, we found quite a few international 'buckets' that were filled with private information, this one being one of the most concerning due to the volume and type of documents we found."
He said there are "quite a few" buckets of information that are sitting unsecured through the cloud, adding that it "very much depends what kind of data you want to host".
"There seems to be the misunderstanding within certain industries what types of data you can put on cloud and just what safeguards you have to put around that data."
Mr Dixon said he has seen the stolen information be used in financial cases, with people attempting to defraud cryptocurrency exchanges, illegitimate subscriptions to utilities and property rentals with forged identities.
"This, in terms of today's digital age, is a very valuable piece of information to go missing."
The company's co-founder, Daniel Vagg, is now looking for a solution to make information more secure.
"This issue is not uncommon," he said, adding that while some web services have moved to secure information, breaches "could happen and may exist in websites which still haven't adjusted to prevent this from happening."
He said the company is looking to build a free service in the future to identify similar vulnerabilities and inform the companies involved, as well as an automated service to monitor protected assets and automatically let them know when issues have been resolved.