• Home
  • cyber
  • LPM Property Management: Over 31,000 IDs leaked in LPM data exposure
cyber Breach

LPM Property Management: Over 31,000 IDs leaked in LPM data exposure

Dec 29, 2025 2 min read
LPM Property Management: Over 31,000 IDs leaked in LPM data exposure

New Zealand Property Firm Exposes 31,000 Sensitive Documents in AWS S3 Breach

A misconfigured Amazon S3 bucket belonging to New Zealand’s LPM Property Management exposed over 31,000 sensitive documents, including passports, driver’s licenses, and ID verification photos tied to tenants, landlords, and maintenance records. The breach was discovered by Cybernews Security researcher Jake Dixon of Vadix Solutions, who alerted both LPM and CyberNews—but repeated attempts to contact the company went unanswered.

The exposed data remained accessible for over a month before Amazon Web Services (AWS) intervened to secure the bucket. The leaked files, which included personally identifiable information (PII), could be exploited for identity theft, phishing, or dark web sales, with estimates valuing the cache at over $600,000.

Declan Ingram of CERT NZ noted that the incident underscores the risks of poor cloud security practices, emphasizing the need for businesses to isolate sensitive systems, restrict access, and implement network segmentation. While AWS acted to close the breach, LPM has not responded to inquiries from researchers or media. The long-term impact on affected individuals remains unclear, though experts warn of potential fraud risks.

Source: https://www.scworld.com/brief/over-31000-ids-leaked-in-lpm-data-exposure

LPM cybersecurity rating report: https://www.rankiteo.com/company/lpm-property-management

"id": "LPM1766994759",
"linkid": "lpm-property-management",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Tenants, landlords, and '
                                              'individuals with maintenance '
                                              'records',
                        'industry': 'Property Management',
                        'location': 'New Zealand',
                        'name': 'LPM Property Management',
                        'type': 'Business'}],
 'attack_vector': 'Misconfigured Cloud Storage',
 'customer_advisories': 'Affected individuals should monitor for fraud and '
                        'take defensive cybersecurity steps.',
 'data_breach': {'number_of_records_exposed': '31,000+',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (Personally Identifiable '
                                        'Information)',
                 'type_of_data_compromised': ['Passports',
                                              'Drivers licenses',
                                              'ID verification photos',
                                              'Maintenance records']},
 'description': 'A misconfigured Amazon S3 bucket belonging to New '
                'Zealand-based LPM Property Management exposed over 31,000 '
                'sensitive documents, including passports, drivers licenses, '
                'and ID verification photos tied to tenants, landlords, and '
                'maintenance records. The breach was discovered by Cybernews '
                'Security researcher Jake Dixon of Vadix Solutions, who '
                'alerted both LPM and CyberNews, but repeated attempts to '
                'reach the company went unanswered. The exposed data was '
                'secured only after Amazon Web Services was contacted, more '
                'than a month later. The leak may have left personally '
                'identifiable information vulnerable to identity theft, '
                'phishing, and dark web exploitation.',
 'impact': {'brand_reputation_impact': 'Likely negative impact due to lack of '
                                       'response',
            'data_compromised': '31,000+ sensitive documents',
            'financial_loss': '$600,000 (estimated value of exposed data)',
            'identity_theft_risk': 'High',
            'systems_affected': 'Amazon S3 bucket'},
 'initial_access_broker': {'data_sold_on_dark_web': 'Potential (estimated '
                                                    'value of $600,000)'},
 'lessons_learned': 'Highlights the critical need for businesses to isolate '
                    'sensitive systems, limit access, and adopt network '
                    'segmentation practices.',
 'post_incident_analysis': {'root_causes': 'Misconfigured Amazon S3 bucket'},
 'recommendations': ['Monitor for fraud',
                     'Take defensive cybersecurity steps',
                     'Isolate sensitive systems',
                     'Limit access',
                     'Adopt network segmentation practices'],
 'references': [{'source': 'Cybernews'}, {'source': 'CERT NZ (Declan Ingram)'}],
 'response': {'communication_strategy': 'No response from LPM to inquiries',
              'containment_measures': 'AWS secured the exposed bucket after '
                                      'being contacted',
              'third_party_assistance': 'Cybernews Security researcher Jake '
                                        'Dixon of Vadix Solutions'},
 'title': 'Misconfigured Amazon S3 Bucket Exposes 31,000 Sensitive Documents '
          'of LPM Property Management',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Misconfigured Amazon S3 bucket'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.