Notice concerning a security vulnerability in our website

As you may be aware, we were alerted to a security vulnerability on our website earlier this year.

We have conducted a full forensic investigation into the vulnerability and have reached out to those who may have been affected. We understand, however, that our clients may have questions about the incident, and that some of you who used the website over the relevant period may not have received our notification.

This page explains what happened, how we have responded, and how you can obtain further information.

We want to reassure our clients that we have taken robust steps to remedy the website vulnerability and have confidence in our security going forward.

We would like to unreservedly apologise that this has occurred. As a family business that has supported many community endeavours it comes as an enormous disappointment to us that a flaw in our website may have affected the security of some of our clients’ information.

What happened?

On 10 June 2020 we became aware that, due to an error in the way our website was configured by an IT contractor, some information that was uploaded via our website between November 2014 and March 2017 was technically accessible via the public internet. Unfortunately, this included scans of some of our clients’ ID documents. It did not include other information associated with tenancy applications as this was held on a separate client database.

Upon being informed of the security flaw we immediately took measures to contain the exposure and removed the affected files from the website. Following these initial remediation steps we engaged a specialist IT forensic investigator to determine how the exposure happened and who has been affected.

We have since identified and reached out to the individuals who may have been affected.

What steps have we taken in response?

Since the issue was discovered we have taken the following steps:

  1. Immediately taken down any information stored on the website:

As soon as we were made aware of the issue, we arranged for any data stored on the website to be taken down. This was completed on 11 June 2020.

  1. Engaged with external industry specialists:

As noted above, we instructed a forensic IT specialist to investigate the incident, determine who was affected, and ensure our systems are secure. In addition, we engaged with IDCare, a specialist community organisation that provide expert and confidential advice to individuals that have concerns about their personal information.

  1. Reported the incident to relevant regulators:

This incident is not the act of a cybercriminal or scammer, but a human error by an IT contractor that left our customer information exposed. Because of this, we have reported the incident to both the Office of the Privacy Commissioner and the Department of Internal Affairs.

  1. Conducted a review of our IT security:

We are reviewing our IT systems to ensure that our IT security and processes are at an appropriate level. We appreciate that proper IT security is a matter of continual improvement and vigilance. With that in mind, our review of our IT security is an ongoing matter.

Further information

The team at LPM deal with client data regularly and have the highest regard for the privacy of our clients. We are extremely disappointed that this has happened and wish to convey our sincere apologies again for any inconvenience or concern caused.

As noted above, we have attempted to reach out to the individuals who may have had information affected. However, if you have any queries, or uploaded information to our website during the relevant time period but did not receive a notification, please do contact us directly at info.request@lpmproperty.co.nz