Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 170,360 records. The database, which presumably belongs to a real estate management and investment company, held PII, SSNs, and other internal potentially sensitive information.
The publicly exposed database was not password-protected or encrypted. It contained 170,360 records with a total size of 116.24GB. In a limited sampling of the exposed documents, I saw spreadsheets detailing motel-employees’ PII, including names, physical addresses, email addresses, DOB, and SSN in plain text. The database also showed property inspection reports, notices to vacate (evictions), employee terminations and demotion letters, petty cash statements, receipts, and expense reports (some of which contain the card type used to pay and its last 4 digits). I also came across:
Police reports including arrest details of guests and hotel employees.
Documentation of accidents and falls, including images or videos of guests and employees on the ground.
Proof of illness documents indicating positive COVID-19 tests and other medical issues.
Images of damage done to rooms, common areas, and parking lots.
This is one of the more interesting discoveries I have seen in several years, as the exposed database appears to contain a wide range of documents and information about motel guests, employee conflicts, surveillance videos, images, and much more.
The internal files and database name indicated the records appeared to belong to a California-based company called Income Property Investments Inc. This is a real estate investment and management company that specializes in acquiring, developing, and managing a range of properties throughout the United States. I immediately sent a responsible disclosure notice to Income Property Investments, and the database was restricted from public access the same day and no longer accessible. Although the records appeared to belong to Income Property Investments, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.
According to their website, Income Property Investments has a diversified multi-state portfolio including hotels, conventional and affordable apartment complexes (Tax Credit, Section 8, Senior Housing), commercial buildings, townhomes, and single-family homes. The vast majority of the documents I saw in the publicly accessible database were hotel-related, while a small portion of the documents I reviewed appeared to be linked to residential housing.
This image is a collage of still images or screenshots taken from surveillance videos of incidents that I saw inside the database. I captured key moments in the screenshot to highlight the range of incidents contained in the videos. In most cases the incident reports also included PII and other details of the individuals involved.
This screenshot shows a document marked as “new hires”, which indicated employee information such as names, home address, date of birth, and Social Security Number (SSN).
This screenshot shows employee data including date of hire, email addresses, and salary information.
This image is a collage of 3 screenshots of positive COVID-19 tests found in the exposed database. The tests indicate the name and date of birth of patients.
This image shows an incident report indicating guest information and details of a potentially serious assault.
This screenshot shows a disciplinary warning document marked as “confidential”. It indicates an employee was behind the front desk sleeping on the floor. ❮❯
×
Exposing personally identifiable information (PII) such as names, dates of birth, Social Security numbers, and employment details can have serious potential risks, including identity theft, credit fraud, tax fraud, or attempts to gain unauthorized access to personal accounts. Criminals can use real personal information to open credit accounts or impersonate individuals for various other fraudulent activities. I advise any individuals who believe their personal information may have been exposed to actively monitor their credit reports.
If there are any suspicious charges, you should contact that company or creditor immediately to verify if it is legitimate. In worst case scenarios, credit bureaus can place fraud alerts or freezes on credit profiles to prevent any further unauthorized accounts from being created. There are also numerous companies offering identity theft protection services that can also help catch attempts to use your personal information to open fraudulent accounts. Being proactive and knowing the warning signs (such as notifications of new unfamiliar accounts, charges, sudden drops in credit scores, or denials of legitimate new credit applications) can go a long way. I am not stating nor implying that customers, employees, or any third parties affiliated with Income Property Investments are at risk of these types of fraudulent activities. I am only highlighting the real-world risk scenarios of how criminals could exploit such information for educational and awareness purposes.
Another potential risk is the use and storage of sensitive data in unsecured Excel (.xls) files. These files often contain a large amount of plaintext information in a single document that can easily be copied, downloaded, shared, and often lack encryption by default. In the event of a data exposure, spreadsheets and similar documents are highly vulnerable to unauthorized access. To protect documents that contain PII or important internal business data, I recommend that companies encrypt them and enforce access controls or role-based permissions. This can help limit who can access these files and for how long, adding an additional layer of security. It is also a good idea to implement a data classification policy and segment documents in different storage locations to mitigate the potential risks of a data breach. As an example, all employee-related data should ideally be stored separately from data relating to incident reporting, security summaries, management communications, etc.
The database appeared to be an upload storage system for hotel staff, management, property managers, or other authorized personnel to send documents and information to a corporate office so they could be reviewed by senior management. While real-time sharing of critical information is necessary for efficient business operations, having one centralized storage repository could potentially become a high-value target for criminals or be a critical point of failure if not properly secured. I recommend any organization that collects and stores potentially sensitive information conduct regular security audits and penetration testing. It is also a good idea to create a dedicated communication channel for reporting privacy or data security concerns, as well as regularly educating and training staff on the best practices of data storage.
I imply no wrongdoing by Income Property Investments, or its employees, agents, contractors, affiliates, and/or related entities. I do not claim that any internal, employee, customer, or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary on any organization’s specific practices, systems, or security measures.
As an ethical security researcher, I do not download, retain, or share any data I discover. I only take a limited number of screenshots only when necessary and solely for verification and documentation purposes. I do not engage in any activities beyond identifying the security vulnerability and, where possible, notifying the relevant parties involved. I disclaim any and all liability for any and all actions that may be taken as a result of this disclosure. I publish my findings to raise awareness of issues of data security and privacy. My aim is to encourage organizations to proactively implement measures to safeguard sensitive information against unauthorized access.
What is Website Planet?
Website Planet stands as the premier resource for web designers, digital marketers, developers, and businesses operating online. We offer a wide array of helpful tools and resources catering to individuals at all skill levels, from beginners to experts. Furthermore, we provide updates on the most recent advancements in cybersecurity. At the core of our values lie honesty and transparency, which we uphold as our foremost commitments.
We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community. Recently, cybersecurity expert Jeremiah Fowler discovered and disclosed a non-password protected database that contained over 20 thousand medical records, and lately, a more large data data breach exposing 184 million login and password credentials, presumably intercepted by an infostealer malware.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
