Report: Romanian Real Estate Portal Suffers Crippling Data Breach

Originally published on January 29th, 2021

Company name and location: Imobiliare, based in Romania
Breach size: 201,087 files

Number of people exposed: Approximately 200,000

Data Storage Format: AWS S3 Bucket

Countries Affected: Romania

The largest real estate portal in Romania, Imobiliare, has suffered a data breach that could potentially affect its entire client database. It remains unknown whether the company’s client information fell into nefarious hands, but the company’s bucket was found to be exposed, without password protection or encryption.

As part of conducting routine server scans for potential vulnerabilities, the Website Planet team discovered that the affected company had left its AWS S3 Bucket unsecured.

The misconfiguration meant that anyone attempting to access the company’s bucket could have done so without encountering basic security measures such as password protection.

Effectively, anyone could have accessed the Bucket just by entering the correct URL.

Exposed Customer Data

The exposed data was stored within 35,738 .PDF and 165,316 .JPG files and included Personal Identifying Information (PII) such as:

• Full names
• Phone numbers
• Home address
• Emails
• CNP Number (Cod Numeric Personal – Personal Numeric Code, a unique identifying number)
• Personal signatures

Other compromising client information included:

• Real estate contracts between clients and the agency.
• Property documents including architectural plans, detailed specifications, and property locations.
• Land extracts and ANCPI documents (National Agency for Cadastre and Advertising)
• User profile Images.
• Scanned copies of national ID cards including identifying codes.
• Requested price of the property.
• Detailed description of properties including location, surroundings, and local services.

Who was affected?

The breach exposed more than 200,000 records but the precise number of people affected by the breach remains unknown.

Imobiliare’s records were partially complete with some records revealing PII for multiple people, therefore, the total record count cannot be used to estimate the number of affected people. Several discovered records included only buyer or seller information whereas others contained agent information as well.

Who Was Leaking the Data?

Launched in 2000, Imobiliare is the largest real estate portal in Romania, offering its services to both real estate agencies and individuals across Romania. The company is a subsidiary of Swiss media group Ringier.

Clients can publish their property offers via the company’s website.

According to the company, more than 1,000 real estate agencies benefit from its services and claims it registers over 1 million unique visitors per month. Imobiliare promotes a selection of properties including newbuilds within modern residential and commercial complexes. The company is also active in promoting its services via partnerships with prestigious publications and portals in Romania.

The company’s AWS Bucket was found to be completely open due to the lack of implementation of basic security measures. This means that the company’s bucket was leaking user information. Anyone with the correct URL could access the Bucket. It is important to note that the server host (Amazon) was not at fault for the breach.

Customer Impact

The likely impact on customers could be severe, given the type of information that was leaked.

First and foremost, nefarious users could potentially harness the information to learn of people’s residential address, approximate income and financial status. Explicit financial information or details were not leaked, although unauthorised users could property values as a proxy indicator for net wealth. With this information, identity theft is the prime concern although other crimes such as burglary are also made more likely by the leak.

A combination of full name, address, national ID card and signature are sufficient for nefarious users to conduct identity theft and fraud. Furthermore, personal user details could be used to conduct fraud across other platforms without the victim becoming aware that such activity is occurring.

Status of the Data Breach

Our research team first reached out to Imobiliare on December 1st 2020, and AWS on December 11th 2020, but we never heard back from the company. A month later, after some additional attempts, we reached out to Ringier (who owns Imobiliare) on January 10th 2021. They got back to us and Imobiliare closed the breach a day after.

Protecting Your Data

There was little that Imobiliare users could have done to prevent their data from being leaked. The culpability for the server leak lies entirely with the company.

However, users can mitigate the risks they face from poor cybersecurity through third-party companies such as consumer credit reporting companies that offer identity recovery assistance if leaked personal information was used to damage someone’s credit history or carry out other crimes under an assumed name.

In terms of threat mitigation, users can take proactive steps to improve their cybersecurity by contacting the company they are dealing with and requesting information about how their personal information is being stored, for what duration and under what policy.

How and Why We Report on Data Breaches

Website Planet is an entity that seeks to help its readers stay safe when using any website or online service. However, given that most data breaches are never discovered or reported by the affected companies, conveying current risk information can be problematic. As a result, we seek to identify existing online vulnerabilities that are putting people at risk, to better prepare them for the risks they face online.

As an organisation, we follow the principles of ethical hacking and we always work within the remit of the law. We only investigate unsecured and unprotected databases that were discovered at random. We never target specific companies and we always report all our findings to the appropriate authorities, including the affected companies themselves.

By reporting these leaks, we help to make the internet safer for everyone.

What is Website Planet?

Website Planet stands as the leading resource hub for web designers, digital marketers, developers, and businesses who maintain an online presence. Within our platform, you will find a vast array of valuable tools and resources carefully crafted to cater to individuals of all proficiency levels, spanning from beginners to experts. Moreover, we maintain a steadfast commitment to honesty and transparency as our core principles, ensuring up-to-the-minute coverage of the latest advancements in cybersecurity.

We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community. This has included a vulnerability in a Retail-focused Used Electronics Business and a Hotel reservation platform leaking private data.

Read about how we tested five popular web hosts to see how easily hackable they are, here.