Cyber Incident Victim: South Canterbury Property Investors Association (SCPIA)

In February 2019, the South Canterbury Property Investors’ Association (SCPIA) experienced a cybersecurity incident involving unauthorized access to its tenant screening database. The compromised database contained a “blacklist” of personal information on prospective tenants, including historical criminal convictions, which SCPIA compiled and sold to its landlord members for background checks. Attackers exfiltrated this sensitive data and publicly leaked it online, exposing hundreds of Timaru residents’ records. Among those affected was Jessica Cross, who discovered her decades-old minor criminal conviction—committed as a teenager approximately 15 years prior—had been published without her consent. The public disclosure caused distress to impacted individuals, who had no prior indication their historical records were being systematically collected, retained, or disseminated by SCPIA. The leak revealed the association’s practice of aggregating and monetizing tenants’ criminal histories despite the age or severity of offenses.

SCPIA President Kerry Beveridge confirmed the breach, attributing the incident to a hack of their database. Beveridge stated the list was intended solely for restricted access by paying SCPIA members and was not meant for public distribution. No technical details regarding the attack vector, intrusion timeline, or containment measures were disclosed publicly. The exposure highlighted operational risks associated with SCPIA’s data handling practices, particularly the retention and sale of outdated criminal records without apparent safeguards against unauthorized access. Affected individuals faced potential reputational harm and loss of privacy due to the irreversible dissemination of their sensitive information across online platforms. The incident underscored vulnerabilities in niche tenant-screening databases maintained by private organizations lacking robust cybersecurity controls.