A researcher discovered that Teammate App had an exposed database containing nearly 3 million records, including user credentials, employee details, and confidential documents, accessible without authentication. The researcher flagged this issue in December 2024 and formally notified the company in February 2025.
Upon notification, the company quickly restricted access but initially did not respond. When they did, the CEO dismissed the severity of the issue, falsely claiming that security layers prevented any real breach. However, the researcher provided evidence that not only were sensitive records publicly accessible, but files could still be downloaded without authentication.
Following the public disclosure, Teammate App accused the researcher of hacking, despite the fact that the data was freely accessible due to their own misconfiguration. The company issued a misleading statement suggesting that the exposure was brief and attempted to shift blame onto the researcher rather than acknowledging their own security lapse.
In response, the researcher contacted the NZ Privacy Commissioner to provide evidence of the data exposure and highlight Teammate App’s failure to protect user information.