Poor cyber hygiene to blame not hacking
Controversial blacklists divulging names and intimate personal details of hundreds of tenants can still be accessed online despite an apology from the South Canterbury Property Investment Association, and an assurance that the website was now blocked.
Stuff revealed last Sunday that compromising of information about hundreds of South Canterbury residents, including decades-old criminal records ‘‘meant for members only’’ was made public online by the investor’s association. A basic search of the association’s website discloses the controversial lists and all the information on it.
South Canterbury Property Investment Association (SCPIA) president Kerry Beveridge initially said the data had been ‘hacked’, but a cyber security expert believes they were careless and the information could be easily accessed.
Several attempts to gain comment from Beveridge, who won the landlord of the year title at the annual New Zealand Property Investors Federation in 2017, over this latest finding proved unsuccessful.Cybersec New Zealand reviewed the association’s website and found they were ‘‘careless’’.
‘‘All of the negative publicity for SCPIA, and the inconvenience and embarrassment to those on the list, could have been avoided with a simple vulnerability assessment of the website,’’ Cybersec New Zealand managing director Hardus Viljoen said.
‘‘This is more a case of poor cyber hygiene than a hack,’’ Viljoen said.
The conundrum for the SCPIA is how after removing the files from the unsecured location on their website, they were are still available to the public on Google, he said.
‘‘As part of the Internet Archive project, these files were ‘backed up’ and copies are still freely available on the internet.’’
If SCPIA had been this careless in other parts of the world,, the association would be facing a massive fine. In the European Union, which recently imposed strict penalties for privacy breaches, they could have been facing a fine of millions of Euros.
Privacy Commissioner spokesman Sam Williams said it was prevented from imposing fines by the Privacy Act, but the commissioner wanted greater powers to issue fines.
Williams said the commissioner investigated and aimed to settle privacy disputes in response to complaints and sometimes those settlements include financial compensation.
‘‘If the dispute is not settled, the complainant can take their case to the Human Rights Review Tribunal, which can award damages.’’
‘‘The Office of the Privacy Commissioner has been in contact with the SCPIA, offering advice and support to help ensure that it meets its obligations under the Privacy Act,’’ Williams said.
‘‘The SCPIA has been following our guidance.’’
Earlier this week, the SCPIA head Beveridge expressed regret at divulging the names and intimate personal details of tenants in the region. ‘‘The Committee of South Canterbury Property Investors Association sincerely apologises to anyone affected by the unauthorised release of individuals’ information held by us,’’ he said.
‘‘As soon as we were made aware of the problem the association removed its website.’’
New Zealand Property Investors’ Federation chief executive Andrew King said the SCPIA was taking measures to rectify their situation.