A US real estate investment and management company accidentally exposed more than 170,000 sensitive records online, according to a new report by cybersecurity researcher Jeremiah Fowler.
Fowler discovered the unencrypted, password-free database, containing 116.24GB of information, and reported it to WebsitePlanet.
What Data Was Exposed?
When Fowler reviewed a sample of the data, he found personally identifiable information (PII) from motel and hotel employees, including;
- Full names
- Home addresses
- Email addresses
- Dates of birth
- Social security numbers
Beyond this, the database also exposed:
- Police reports with details of guest and employee arrests
- Accident and injury reports, with photos and video stills
- Medical documents such as COVID-19 positive test results
- Photos of property damage in hotel rooms and public areas
- Employee records, including termination letters, demotion notices, petty cash logs, and expense reports (some listing partial payment card details)
Fowler described the discovery as one of the most concerning exposures he has seen in recent years because of the broad range of sensitive material involved.
Who Owns the Data?
Fowler’s research linked the exposed database to Income Property Investments Inc., a California-based real estate investment and management firm that manages properties across the United States, including hotels, apartment buildings, commercial spaces, and residential homes.
Most of the exposed records related to the firm’s hotel operations, but some documents were also connected to residential properties.
At this point, it remains unclear whether Income Property Investments or an outside contractor managed the exposed database. Investigators also don’t know how long the data remained open to the public or if any unauthorized parties accessed it before Fowler’s discovery.
After Fowler notified the company, it restricted access to the database the same day.
Why This Exposure Matters
Leaking personal data such as SSNs, birthdates, and employment details creates serious risks for identity theft, credit fraud, tax fraud, and unauthorized account access. Criminals often use this information to open fake credit accounts or impersonate victims.
Fowler warned anyone who believes their data might be involved to closely monitor their credit reports and bank accounts for suspicious activity. He also recommended placing fraud alerts or freezes on credit profiles when needed.
Lessons in Data Security
This breach highlights the dangers of storing sensitive information in unsecured Excel spreadsheets and central databases. Fowler urged businesses to encrypt documents, apply strict access controls, and adopt better data management practices to reduce risk.
He also warned companies not to rely on single, central databases that aggregate large amounts of sensitive data. “A central storage point becomes a prime target for attackers if the proper security measures aren’t in place,” Fowler explained.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.