Privacy officials treat cyber breach as scam
The Privacy Commissioner’s Office says it mistook a tip about 30,000 New Zealanders’ personal data being exposed online for a scam, leaving driving licences and passport details vulnerable for a month.
Tens of thousands of images from people’s passports and driving licences held by Wellington firm LPM Property Management were accessible to anyone with the URL for at least a month.
Vadix Solutions security researcher Jake Dixon, who is based in Ireland, discovered the issue on May 10 and said he ‘‘immediately reached out to the company’’ and the Privacy Commissioner.
But, in a statement, LPM Property Management said it did not have any record of contact from Dixon prior to June 10, when the exposure was discovered by ‘‘our technical contractor’’.
The vulnerability was fixed on June 11 and there is no evidence that personal details were breached.
A Privacy Commissioner spokesman confirmed Dixon’s email had been initially classified as a scam and the email was not referred on until nearly a month later.
‘‘The researcher was referred to CERT
Privacy Commissioner spokesman
on June 5 once this misclassification was identified,’’ said Privacy Commissioner spokesman Charles Mabbett.
‘‘We regret the error – it happened at a time when the office was receiving a lot of Covid-19 related inquiries and staff were working from home.’’
CERT was the most appropriate agency to assist with cyber security and security vulnerabilities, he added.
There was no evidence to suggest any unauthorised access to the information, which included expired and active passports from New Zealand and overseas, driving licences, evidence of age documents, pictures of applicants and maintenance requests, he said.
‘‘LPM advised our office yesterday the vulnerability had been fixed and all the personal information removed. It says there is no evidence that any of the personal information was taken.’’
LPM spokesman Chris Galloway told Stuff it was not disputing Dixon had reached out although the company had no record of this.
It had since contracted a Wellington company to do an audit of its security, which would take place next week.
Speaking to Stuff on Thursday, Jake Dixon of Vadix Solutions, said the exposure was part of a wider project to analyse critical infrastructure within Ireland. ‘‘Given the large amount of documents like passports, driver’s licences and birth certificates, we were very concerned we were not hearing anything back about this.’’
Dixon said they ‘‘gave it a few weeks’’ but were uncertain of what to do, as they had never faced this situation.
He then contacted a company they had worked with before to close off the ‘‘vulnerability’’. Dixon said normally companies were ‘‘very quick’’ to jump on the ‘‘breach topic’’.
‘‘Not only is it about saving the reputation and profile of the company but the information they are holding is very sensitive and very personal.’’
‘‘We regret the error – it happened at a time when the office was receiving a lot of Covid-19 related inquiries and staff were working from home.’’ Charles Mabbett