South Canterbury Property Investors Association (SCPIA)

The South Canterbury Property Investors Association (SCPIA) operates as a landlord association based in New Zealand, serving property investors and landlords within its regional scope. Its core function involved the compilation and maintenance of a confidential database containing sensitive tenant information, including criminal conviction records, which was sold exclusively to its member landlords. This database served as a tenant screening tool, providing members with access to personal data intended to assess potential rental risks. The association positioned itself as a resource for property investors, offering a specialized service that aggregated non-public personal information for due diligence purposes. The very existence of this database, as described in incident reports, underscores the association's role in facilitating background checks beyond standard public records, a practice that placed it at the intersection of property management, data aggregation, and privacy considerations. The service was explicitly framed for internal member use only, creating a closed system for sharing sensitive information among paying subscribers.

The organisation's operations and data handling practices were brought into sharp focus by a major security incident on February 9, 2019. During this event, the association's confidential database was compromised and the contents were publicly leaked online, exposing the personal records of hundreds of individuals. The leaked data included details such as criminal convictions, with one documented case involving the disclosure of a victim's decades-old minor offense from adolescence without her consent. The association's president subsequently confirmed the system intrusion and acknowledged that the information was compiled and sold solely for the internal screening purposes of its member landlords, not for public dissemination. This breach highlighted the significant volume of sensitive personal data the association controlled and the potential consequences of its unauthorized exposure. The incident illustrated a critical failure in safeguarding the very data that constituted the association's primary service offering, directly linking its business model to a substantial privacy violation. The publicly leaked nature of the data fundamentally contradicted the association's stated intent for the information's restricted, member-only use.