Originally published on January 29th, 2021 Company name and location: Imobiliare, based in Romania
Breach size: 201,087 files
Number of people exposed: Approximately 200,000
Data Storage Format: AWS S3 Bucket
Countries Affected: Romania
The largest real estate portal in Romania, Imobiliare, has suffered a data breach that could potentially affect its entire client database. It remains unknown whether the company’s client information fell into nefarious hands, but the company’s bucket was found to be exposed, without password protection or encryption.
As part of conducting routine server scans for potential vulnerabilities, the Website Planet team discovered that the affected company had left its AWS S3 Bucket unsecured.
The misconfiguration meant that anyone attempting to access the company’s bucket could have done so without encountering basic security measures such as password protection.
Effectively, anyone could have accessed the Bucket just by entering the correct URL.
Exposed Customer Data
The exposed data was stored within 35,738 .PDF and 165,316 .JPG files and included Personal Identifying Information (PII) such as:
CNP Number (Cod Numeric Personal – Personal Numeric Code, a unique identifying number)
Other compromising client information included:
Real estate contracts between clients and the agency.
Property documents including architectural plans, detailed specifications, and property locations.
Land extracts and ANCPI documents (National Agency for Cadastre and Advertising)
User profile Images.
Scanned copies of national ID cards including identifying codes.
Requested price of the property.
Detailed description of properties including location, surroundings, and local services.
Who was affected?
The breach exposed more than 200,000 records but the precise number of people affected by the breach remains unknown.
Imobiliare’s records were partially complete with some records revealing PII for multiple people, therefore, the total record count cannot be used to estimate the number of affected people. Several discovered records included only buyer or seller information whereas others contained agent information as well.
Who Was Leaking the Data?
Launched in 2000, Imobiliare is the largest real estate portal in Romania, offering its services to both real estate agencies and individuals across Romania. The company is a subsidiary of Swiss media group Ringier.
Clients can publish their property offers via the company’s website.
According to the company, more than 1,000 real estate agencies benefit from its services and claims it registers over 1 million unique visitors per month. Imobiliare promotes a selection of properties including newbuilds within modern residential and commercial complexes. The company is also active in promoting its services via partnerships with prestigious publications and portals in Romania.
The company’s AWS Bucket was found to be completely open due to the lack of implementation of basic security measures. This means that the company’s bucket was leaking user information. Anyone with the correct URL could access the Bucket. It is important to note that the server host (Amazon) was not at fault for the breach.
The likely impact on customers could be severe, given the type of information that was leaked.
First and foremost, nefarious users could potentially harness the information to learn of people’s residential address, approximate income and financial status. Explicit financial information or details were not leaked, although unauthorised users could property values as a proxy indicator for net wealth. With this information, identity theft is the prime concern although other crimes such as burglary are also made more likely by the leak.
A combination of full name, address, national ID card and signature are sufficient for nefarious users to conduct identity theft and fraud. Furthermore, personal user details could be used to conduct fraud across other platforms without the victim becoming aware that such activity is occurring.
Status of the Data Breach
Our research team first reached out to Imobiliare on December 1st 2020, and AWS on December 11th 2020, but we never heard back from the company. A month later, after some additional attempts, we reached out to Ringier (who owns Imobiliare) on January 10th 2021. They got back to us and Imobiliare closed the breach a day after.
Protecting Your Data
There was little that Imobiliare users could have done to prevent their data from being leaked. The culpability for the server leak lies entirely with the company.
However, users can mitigate the risks they face from poor cybersecurity through third-party companies such as consumer credit reporting companies that offer identity recovery assistance if leaked personal information was used to damage someone’s credit history or carry out other crimes under an assumed name.
In terms of threat mitigation, users can take proactive steps to improve their cybersecurity by contacting the company they are dealing with and requesting information about how their personal information is being stored, for what duration and under what policy.
How and Why We Report on Data Breaches
Website Planet is an entity that seeks to help its readers stay safe when using any website or online service. However, given that most data breaches are never discovered or reported by the affected companies, conveying current risk information can be problematic. As a result, we seek to identify existing online vulnerabilities that are putting people at risk, to better prepare them for the risks they face online.
As an organisation, we follow the principles of ethical hacking and we always work within the remit of the law. We only investigate unsecured and unprotected databases that were discovered at random. We never target specific companies and we always report all our findings to the appropriate authorities, including the affected companies themselves.
By reporting these leaks, we help to make the internet safer for everyone.
Website Planet is the number one resource for web designers, digital marketers, developers, and businesses with an online presence.
Our team of ethical security research experts uncovers and discloses serious data leaks as part of a free community service we perform for the web at large.