ITP Techblog

Brought to you by IT Professionals NZ
« Back to Legal

When is a hack not a hack?

Paul Brislen, Editor. 13 February 2019, 8:54 am

The South Canterbury Property Investors' Association collection of the private details of renters is one thing, sharing them with members is something else but exposing them to the internet for all the world to see is potentially a breach of the Privacy Act and is a timely wake up call to anyone who runs a website or maintains private information on a database.

The SCPIA put together a database of renters who may have had criminal convictions (or in some cases simply charges), may have had problems paying rent in the past and various other nefarious deeds. This list was then made available to members, presumably to assist in vetting potential renters, although since the story broke the site has been taken down.

According to Stuff one Timaru resident discovered the list online while searching for her own name and was shocked to discover a 15-year old conviction for a minor offence committed when she was a teenager was tagged to her name.

Laughably, the SCPIA president, Kerry Beveridge, claims the website was hacked and he would be investigating how that happened.

However, one self-professed geek Dylan Reeve refutes this claim, pointing out via Twitter that the database was openly available on the SCPIA website for anyone to see, and showed up easily on a Google search. The SCPIA's 'database' is a 600+ page spreadsheet posted to the organisation's website with no security evident, says Reeve.

"They made no effort at all to protect these details," he says in a tweet.

Much of the information in the database comes from the Timaru Herald's court records, according to SCPIA's website.

According to the Stuff story, the New Zealand Property Investors Federation chief executive Andrew King said the group had "taken legal advice and were within the law" but the Privacy Act does not allow data to be gathered for one purpose and then used for another. 

The Privacy Commissioner's office has expressed concern about the apparent lack of security around the list and urges anyone who feels their privacy has been breached to get in touch.


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio