A Canterbury investors’ group is the latest example of crying ‘hacked’ when it’s really nothing of the sort, writes Dylan Reeve.

It’s so common now that we barely bat an eyelid – some company holding troves of personal information is hacked and personal data is leaked online… sometimes even on the dark web!

But this commonness also makes it a go-to excuse for those who’ve been caught failing to protect the data they store.

The Sunday Star Times recently reported that the South Canterbury Property Investors’ Association, a landlords group in Timaru, was “hacked” and their ethically dubious lists of rent debtors and criminal convictions were “leaked” online.

The story had come to light because a Timaru woman, Jessica Cross, was Googling herself (as you do) and was shocked to come across a record of a minor conviction she’d received as a teenager 15 years ago.

Cross told the Sunday Star Times that she’d called SCPIA “probably 20 times to get this off the internet,” without much luck.

Fear not though, the Sunday Star Times went straight to the source, SCPIA president Kerry Beveridge, who declared they were “investigating how this happened” and the article reports that he suggests the “database had been hacked and the list posted online.”

It’s an explanation that the Sunday Star Times was happy to report, both in the article and the headline, without any scepticism.

So Kerry, let’s see if we can figure out how this happened…

The first clue is in the URL reported by the Google search Jessica conducted. Let’s see… while the file itself is gone now, the hacked list seems to have been leaked on a website hosted at scpia.nz – a quick visit there might give us some clues!

Oh.

So the hacked and leaked documents are hosted on the website of the South Canterbury Property Investors Association. Not a great start, but how were the documents accessed?

Well with a little more digging we can find that out too. The top secret databases were accessed through a very secure page…

A page completely undiscoverable to anyone who… doesn’t know the web address. That’s it. The entire security for this MEMBERS ONLY site is not knowing where it is. Oh, and some red text.

Once you (or the web crawlers of Google and others) stumble upon this SECRET website, how is this “database” managed?

I bet you can guess… It’s two PDF files. A 13 page list of various debtor details dating back to 1993, with very little information in many cases, and a 600+ page spreadsheet of apparent convictions, also dating to around 1993, most with virtually no context or corroborating details.

Both of these “databases” were discovered and indexed by Google and others, indicating that there was, indeed, no security or access restrictions.

How did this secret page get found? The SCPIA linked to their SECRET website from their main homepage.

Didn’t spot it? It’s the Yellow text – “Timaru” – on the yellow background at the bottom. Clicking that link takes you to their MEMBERS ONLY secret page with all their special MEMBERS ONLY information, including details of more than 20,000 court appearances and hundreds of alleged debts.

Maybe you didn’t see it at first, but Google and other web crawlers certainly did, and they diligently saved what they saw, including those hundreds of records.

The South Canterbury Property Investors’ Association has now taken their member website down, or perhaps just moved it to some other super secret URL, but the records they once shared so openly (albeit slightly hidden) remain searchable and a even archived in some places.

In the broadest sense “hacking” requires unauthorised access – that’s not just ignoring a red warning notice, but bypassing or overcoming security controls. If that hasn’t happened then we’re probably not talking about a “hack.”

What has happened here is that SCPIA has imagined they have the skills in-house to manage their website and maintain a private members-only portal. They’ve played around in an HTML editor and believed that simply having an unusual URL (scpiz.nz/zSec18/Hom16avabxg49qkw.htm) was enough to protect them. Their own ignorance about how the internet works has led them to leak sensitive data they are trusted to protect.

Businesses holding personal information have a legal and moral obligation to protect that information. If they don’t have the resources to do that securely then they need to seek out people and companies to help.

We should also expect the media reporting on these issues to hold themselves to a standard higher than simply parroting the excuses of any business that suddenly finds their data spread across the web. If journalists don’t have the skills to fact check these claims themselves then they should consult with experts who can offer an informed opinion, as they would with any other issue.

You weren’t hacked SCPIA, you were found out. There’s a significant difference.