CyberNews received information from reader Jake Dixon, a security researcher with Vadix Solutions, who discovered an unsecured Amazon Simple Storage Solution (S3) database containing more than 31,000 images of users’ passports, driver’s licenses, evidence of age documents, and more. These files are publicly accessible to anyone who has the URL and appears to be owned by the Wellington, New Zealand company LPM Property Management.
Due to the type of company it is, the unsecured database (which appears to only host image files for the company) also contains pictures of applicants and some property requiring maintenance.
Both Vadix and CyberNews attempted to contact LPM Property Management to secure their database. Unfortunately, the company was unresponsive and we had to go through Amazon Web Services to get the issue fixed. The database is now secured.
What data is in the bucket
This particular bucket seems to host images from LPM’s service. Out of the 31,610 files contained in the database, only 15 files are not images.
The files include:
- Passports, both expired and active, both from New Zealand and abroad
- Drivers licenses with ID numbers, donor statuses, addresses, DOBs, and full names
- Evidence of age documents
- Applicant pictures
- Images of damaged property (labeled “maintenance requests”)
The way that LPM works is that they will manage various landlords’ property. The images within the database (usually filed under “applicants”) appear to be either landlords or tenants applying for this service. Although we reached out to LPM for clarification on this issue, we received no response.
Nonetheless, these “applicants” images have various documents as proof of identity, most of which are drivers’ licences and some passports. Some of these passports are from outside New Zealand.
Example of passport:
Example of Australian passport:
Example of driver’s license:
Who had access to the bucket?
It is unclear at the moment who had access to the exposed Amazon S3 bucket. It is also unclear for how long the bucket was exposed.
Due to the fact that it is extremely easy to access these types of files, it is possible that bad actors may have accessed the information in this bucket and may potentially use it for malicious purposes. If you believe your information was contained in LPM’s unsecured database, we recommend you set up identity theft monitoring and be on the lookout for suspicious emails, which could be phishing attempts.
What’s the impact?
Having 30,000 passport and driver’s licenses can be a huge find for many bad actors online. This article puts the value of one passport scan at around $14 on the dark web, while another article puts a driver’s license value at about $20. With those prices, the bucket has a price range of $442,540 – $632,200 (assuming the files are either all passports or all driver’s licenses).
With that information, hackers can commit identity theft, including taking out loans or other services in these victims’ names, or simply use the data as part of targeted phishing campaigns.
In either case, these victims are losing.
Declan Ingram, Deputy Director for CERT NZ, which monitors ongoing threats and actively publishes advisories related to cybersecurity incidents, provided some advice for businesses:
“An unsecured database can be a huge risk to customers’ privacy and security. In addition to the standard security measures, such as long strong passwords and two factor authentication, we recommend that businesses consider segmenting their network, including cloud hosted networks. As part of this, businesses should identify sensitive information on their systems, and ensure that access to that data is limited only to systems or people that need it.
By ensuring that all networks are segmented to control who can access them, businesses reduce the likelihood of unauthorised access to the data in those systems. This protects the business, and its customers, from having sensitive information leaked or stolen.
It can take time to segment a current network. As a starting point it is best for organisations to focus on high risk areas to ensure important information is secure. This includes devices that have sensitive data, or devices that control critical administrative functions.”
We attempted to contact LPM Property Management on June 2, after Vadix attempted to contact them on May 10. However, we did not get any response from the company. For that reason, we contacted Amazon Web Services on June 9. They got in contact with the vendor who seems to have refused to fix the issue.
After we insisted that this type of data should not be made public, Amazon was finally able to secure the database on July 6.
We have not received any comment from LPM Property Management.