Thousands of people who have rented with or even applied for a property from Lambton Property Management (LPM), may have to renew their identity documents.
1 NEWS first reported on the privacy breach last week, when a researcher in Ireland discovered tens of thousands of files sitting on an unsecure website.
Now, a second researcher has come forward, saying they too accessed the data.
One of those whose files were unsecured, is Wellington woman Harriet.
She says LPM hasn't been in touch regarding the issue, and she only found out when 1 NEWS got in touch.
"I think from the LPM side of things they need to take accountability and contact the relevant people," she said.
She's nervous her personal details are now in the hands of criminals.
"That's what I keep thinking about, what has come of it?"
“Have they used my personal details for anything?“
While LPM would not be interviewed today, it's previously claimed the data hasn't been accessed without authorisation.
However, 1 NEWS has now been in touch with two separate researchers claiming they’ve seen the files.
One sent an email to LPM in late April, more than a month before the company took action.
In a statement from Friday, LPM said this is part of its review into the incident.
“It remains the case that LPM has not been able to identify any contact prior to 10 June, while not disputing those saying they did reach out.”
“This point is being considered in LPM’s investigation."
LPM is in the process of contacting past and current tenants who had submitted personal information to LPM when applying for a tenancy.
In the meantime, officials from CERT NZ warn the kind of data exposed should be considered sensitive, and is dangerous in the wrong hands.
“It’s used to do things like sign up for services, loans, bank accounts,” said Deputy Director Declan Ingram.
“What we find criminals will steal this information and use it to hide their tracks.”