Investors ‘careless’ with data
CONTROVERSIAL blacklists divulging names and intimate personal details of hundreds of tenants can still be accessed online despite an apology from the South Canterbury Property Investment Association, and an assurance that the website was now blocked.
Sunday News revealed last week that compromising information about hundreds of South Canterbury residents, including decades-old criminal records, was available publicly online despite being meant for association members only.
A basic search of the association’s website discloses the controversial lists and all the information on them.
Association president Kerry Beveridge initially said the data had been ‘hacked’, but a cyber security expert believes carelessness allowed easy access to the information.
Several attempts to gain comment from Beveridge, who won the landlord of the year title at the annual New Zealand Property Investors Federation in 2017, over this latest finding proved unsuccessful.
Earlier in the week expressed regret that the names and intimate personal details of tenants in the region had been divulged.
‘‘The Committee of South Canterbury Property Investors Association sincerely apologises to anyone affected by the unauthorised release of individuals’ information held by us.’’
But Cybersec New Zealand, which reviewed the association’s website, found it was ‘‘careless’’.
‘‘All of the negative publicity for SCPIA, and the inconvenience and embarrassment to those on the list, could have been avoided with a simple vulnerability assessment of the website,’’ Cybersec New Zealand managing director Hardus Viljoen said.
‘‘This is more a case of poor cyber hygiene than a hack,’’ Viljoen said.
The conundrum for the association is that the files are still available to the public on Google, despite being removed from the unsecured location on its website.
‘‘As part of the Internet Archive project, these files were ‘backed up’ and copies are still freely available on the internet.’’
In the European Union, such carelessness could attract a fine of millions of euros.
Sam Williams, a spokesman for the Privacy Commissioner, said the office was prevented from imposing fines by the Privacy Act, but the commissioner wanted greater powers to impose fines.
Williams said the commissioner investigated privacy disputes in response to complaints and and aimed to settle them. Sometimes those settlements include financial compensation.
‘‘If the dispute is not settled, the complainant can take their case to the Human Rights Review Tribunal, which can award damages,’’ he said.
‘‘The Office of the Privacy Commissioner has been in contact with the SCPIA, offering advice and support to help ensure that it meets its obligations under the Privacy Act.
‘‘The SCPIA has been following our guidance.’’