Report: French Estate Agency Leaks Thousands of Customer Files

Company name & location: GSI Immobilier, located in France

Size (in GB and amount of records): 2 GB of data, 1342 records

Data Storage Format: Microsoft Azure Blob

Countries Affected: France & England

The Website Planet research team can reveal a damaging data leak belonging to the French real estate agency, GSI Immobilier.

GSI Immobilier is an Alpine real estate agency specializing in managing, selling, and renting luxury properties throughout several popular holiday destinations in France’s Savoie region.

The company was storing data on a Microsoft Azure Blob Storage server whose misconfiguration exposed sensitive customer files and left over 1000 people potentially at risk of further crimes.

Customer Data Leaked

GSI Immobilier’s breach has compromised 1342 files (2GB of data) which featured the sensitive personal data of GSI’s holiday rental customers.

GSI’s Microsoft Azure Blob Storage server was configured without password protection or any encryption, thus providing easy access to anyone who may have found the server and its content.

The server contained scanned and photographed booking contracts in the “.pdf” format.

These documents feature booking details along with numerous forms of customer PII:

• Full names; including first names and surnames
• Phone numbers
• Email addresses
• Addresses of customer’s homes and booking locations
• Booking details; including the arrival and departure dates of customers, and the prices paid for each booking
• Customer signatures (in some cases)
• Scanned pictures of signed cheques (in some cases)

The database was live and regularly updated at the time of discovery.

Leaked arrival and departure dates, along with prices paid for accommodation, provide criminals with a gold mine of information to help them choose potential targets for crime.

You can see evidence of leaked booking documents in the screenshots below.

The leaked booking documents contained billing information and booking details. The names, home (and rental) addresses of customers, and customers’ rental accommodations’ contact details were also displayed on each file.

Some files included additional types of sensitive customer data, such as customer signatures on booking documents and cheques.

In total, a minimum of 1342 people are affected by this data breach. That’s because each leaked booking document contains the personal information of a single GSI customer.

However, GSI’s breach could potentially cause far greater damages, affecting both its business and its customer base.

Who was Affected?

GSI’s data leak primarily affects French customers, whose booking documents make up the bulk of the server’s leaked files. Booking documents for English customers were among leaked files as well.

While GSI does provide plenty of affordable rental properties, premium-paying customers feature on the server too. Wealthy customers are able to afford the top luxury accommodations and are identifiable through billing information on leaked booking documents.

Who Was Leaking the Data?

GSI Immobilier manages a long list of Alpine properties throughout the Savoie region of France.

GSI offers a catalog of holiday rentals: including apartments, lodges, and chalets, all located in popular Alpine towns and Ski resorts. GSI also oversees the sale of several other properties.

GSI Immobilier’s main office is in Moûtiers – a commune located in the French Tarentaise valley. GSI owns 6 other branches, each located in a different location within the Savoie region.

GSI has over 1000 properties on its books and co-owns 350+ complexes throughout winter and summer sports destinations. Across all of its branches, GSI has 48 employees and turns an annual revenue of $8 million.

Impact on Customers

We cannot know whether unethical hackers have found sensitive customer data on GSI’s open Azure Blob Storage server.

However, hackers could carry out several different cyberattacks should they have accessed GSI’s customer records.

In this case, GSI’s breach could affect more individuals than simply those with leaked records.

Family members and friends may accompany leaked customers at rental properties with a leaked address. People who are associated with GSI customers could also live at leaked home addresses. Any crime committed at reservations/properties could therefore affect the leaked customer’s friends, family, or associates too.

All affected parties, including those accompanying exposed guests, need to be aware of the potential dangers they are facing.

Phishing Attacks

GSI customers could be subject to phishing attempts from hackers who access booking information.

Bad actors could contact GSI customers via email or phone, using the customer’s name and booking information to build rapport while posing as a GSI employee, or a representative of the holiday rental accommodation.

Once the customer is in full cooperation, the attacker could progress the conversation. They may coerce other forms of personal information out of the victim.

The criminal may also convince the victim to click an email link. Doing so downloads malicious files onto the victim’s device. These files aid further criminal activities.

Fraud & Scams

The presence of billing information means there is a possibility cybercriminals could adapt their methods to other popular fraudulent techniques.

By all means, hackers could attempt to coerce bank account details out of the customer through the above-mentioned social engineering technique. Hackers could also assume the identity of the victim should they find out enough personal information. A hacker could borrow money in the victim’s name with customer PII.

Hackers may attempt well-known scams using the available billing information. Scammers may try to convince customers that they have underpaid their order or that the payment has been unsuccessful. From here, hackers can acquire bank account details or simply accept any sent money for themselves.

Theft

The threat of theft would be significant if hackers have accessed GSI’s server. Customer booking documents provide plentiful examples of personal information to inform thieves and burglars.

Hackers can prioritize victims based on the size of their booking. Criminals could target customers staying in the most expensive accommodations with theft attempts.

Hackers would know the timescale of the customer’s stay at the accommodation. Hackers would also know the customer’s home address and holiday rental address.

Therefore, thieves that access the leaked files could organize robbery attempts with relative ease, robbing the houses of affluent holidaymakers who are hundreds of miles away.

Elsewhere, criminals could hijack reservations and stay at bookings themselves, assuming the identity of the leaked customer with the selection of details available.

Impact on GSI Immobilier

GSI Immobilier faces several consequences for leaking customers’ personal data.

GDPR

First and foremost, GSI is likely to come under the scrutiny of the EU’s GDPR data privacy regulations.

GDPR is the body of laws that govern data protection throughout the European Union.

Businesses that mishandle, misuse, or fail to protect the data of EU citizens are likely to face sanctions from GDPR. Guilty companies may receive a fine of up to €20 million or 4% of the company’s annual turnover (whichever is greater).

GSI’s database has leaked the data of English citizens too. The United Kingdom is no longer part of the EU but has retained GDPR laws in the form of UK GDPR , or the Data Protection Act 2018.

The UK’s GDPR laws are the same; only GSI could face a separate fine from British authorities. The max fine for a breach of the Data Protection Act 2018 is slightly lower, at £17.5 million or 4% of the company’s annual turnover (whichever is greater).

Reputational Damage

The fallout from such an event could be significant. Leaking customer data is often not good for business.

Customers trust brands with their personal data. Mishandling that data may cause discontent among both existing and potential customers, and this can affect a business’s reputation.

Corporate Espionage

Rival agencies in the Savoie area could acquire GSI Immobilier’s list of customers. While pricing is already available on GSI’s website, these competitors could target GSI’s leaked customer list with better offers in similar destinations. This would take business away from GSI by undercutting the company’s prices/value.

Competitors could pose as another GSI employee, using customer information to build rapport and find out more information about GSI’s customers or general business operations.

Status of the Data Breach

We sent an initial responsible disclosure of the breach to GSI Immobilier and received no reply. We informed the Microsoft Security Center of the breach as well and continued to follow up with both companies over the next few weeks.

We did eventually get in touch with the Microsoft Security Center, this time using their security platform. Microsoft informed us that the issue was not their responsibility.

Finally, we contacted the French Computer Emergency Response Team (CERT) concerning this breach. The French CERT replied to our message, notifying us they had contacted GSI Immobilier. Unfortunately, GSI never replied to the French CERT.

We also tried to contact the company via the “online chat” feature on their website, but we were told “no thanks” and the chat conversation was terminated.

After several attempts and help from a few other people, eventually the server was secured.

Protecting Your Data

GSI Immobilier customers affected by this data breach should take necessary steps to minimize the risk of phishing attacks, fraud, scams, and theft.

First of all, worried individuals should be extra vigilant when receiving calls, texts, or emails from an unknown source – especially if the caller/messager claims to be a GSI employee.

Customers should ask unknown callers/email senders to prove they are who they say they are. Customers should never give any form of personal information away before a caller/sender authenticates their identity.

As for GSI Immobilier, employees should suspect any incoming calls referencing customer billing information. GSI should also make doubly sure that all remaining databases are secure to avoid another leak in the future.

How and Why We Report on Data Breaches

We want to help our readers stay safe when using any website or online product.

Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.

We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.

By reporting these leaks, we hope to make the internet safer for everyone.

What is Website Planet?

Website Planet takes pride in being the top resource for web designers, digital marketers, developers, and businesses with an online presence. We provide tools and resources for everyone, from beginners to experts — and we prioritize honesty above all else.

We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community at large. This has included a breach in a famous European office supplier, as well as a breach in an Indian B2B online packaging marketplace leaking sensitive data.

You can read about how we tested five popular web hosts to see how easily hackable they are here.