A large, publicly accessible database containing over 170,000 unencrypted records—totaling more than 116GB—was discovered by a cybersecurity researcher. The database, which lacked any password protection, exposed sensitive personal and operational data tied to Income Property Investments Inc., a real estate firm based in California.
The leaked files included motel employee details such as full names, birthdates, Social Security numbers, home and email addresses, as well as internal records like eviction notices, termination letters, inspection reports, and financial documents. Some files revealed partial payment card data and personal medical information, including positive COVID-19 results. Additionally, the database contained police reports, accident documentation, surveillance footage, and images of property damage.
Though the database appeared to serve as a document-sharing system for hotel management and corporate offices, it was highly vulnerable due to its centralized nature and lack of security controls. After receiving a responsible disclosure notice, Income Property Investments promptly restricted access to the server. It remains unknown how long the data was exposed or whether it was accessed by unauthorized users.
The exposure carries significant risks, including identity theft, credit fraud, and misuse of unencrypted spreadsheets containing high volumes of plaintext data. Companies should adopt encryption, access controls, and staff training to mitigate data privacy threats.
