New Zealand-based LPM Property Management leaks over 31,000 ID Documents
Learn More
LPM Property Management, a Wellington, New Zealand-based company, was recently discovered to be leaking by security researcher Jake Dixon of Vadix Solutions.
The data was leaked via an unsecured Amazon Simple Storage Solution (S3) bucket containing more than 31,000 images of sensitive personal identification documents. These files were publicly accessible to anyone who had the S3 bucket URL.
The exposed images appear to belong to both landlords and tenants who had applied for the company's services, with applicants required to submit proof of identity documents as part of the application process. Exposed data includes
- Passports (both expired and active, from New Zealand and international)
- Driver's licenses containing ID numbers, donor statuses, addresses, dates of birth, and full names
- Evidence of age documents
- Applicant photographs
- Images of damaged property (labeled as "maintenance requests")
Both Vadix and CyberNews made multiple attempts to contact LPM Property Management to alert them about the security vulnerability but the company remained unresponsive. The security researchers then escalated the matter to Amazon Web Services. Despite initial resistance from the vendor, Amazon finally secured the database two months after the initial discovery.
Based on dark web valuations, passport scans are worth approximately $14 each, while driver's licenses fetch around $20 each. With these figures, the exposed data has an estimated value between $442,540 and $632,200, assuming the files are either all passports or all driver's licenses. This exposed information could be exploited for identity theft, fraudulent loan applications, or targeted phishing campaigns.
