Massive Data Exposure at Real Estate Firm Affects Over 170,000 Individuals

A real estate investment firm inadvertently left sensitive personal data belonging to more than 170,000 individuals exposed on an unsecured server, Straight Arrow News has discovered. The compromised information includes personal details of both employees and customers tied to properties such as Motel 6.

The unprotected server, according to a cybersecurity expert the data breach contained files with names, dates of birth, home addresses, and Social Security numbers.

The database belonged to Income Property Investments Inc., a California-based company involved in property investment and management. Following his alert, the firm quickly secured the server, although it provided no public acknowledgment of the breach. It remains uncertain whether the server was directly managed by the company or a third-party service provider.

Wide-Ranging Risks

The exposed records present a serious risk if accessed by malicious actors, who could exploit the data for identity theft and other cybercrimes.

Out of the 170,360 files discovered, many appear linked to multiple hotel properties across the U.S. The dataset includes highly confidential material such as employee records, eviction notices, internal communications, property inspections, and financial documentation.

One spreadsheet shared redacted to shield personal details—contained Social Security numbers, full names, addresses, and birthdates of newly hired staff at apartment complexes in different states.

Sensitive and Disturbing Content

Other documents included police reports detailing arrests involving both guests and employees, some accompanied by surveillance footage. Screenshots from these videos, with identities obscured, depict physical confrontations, including a possible altercation with law enforcement, a customer allegedly injured from a fall, and another individual vaulting over a front desk.

Among the internal documents is an employee disciplinary form describing an incident where a hotel worker was reportedly “sleeping on the job” behind the front desk. Another report chronicles a guest being stabbed and subsequently transported to the hospital.

Medical details were also found in the exposed files, including COVID-19 test results linked to staff, along with their names and birthdates.

The company’s website indicates it manages a diverse real estate portfolio that spans hotels, apartment communities, commercial spaces, townhouses, and single-family residences across multiple states.

Motel 6, which changed ownership in December 2024 when Blackstone sold it to Indian hospitality chain Oyo for $525 million, also did not respond to questions about its involvement with Income Property Investments or its knowledge of the security lapse.

At this time, it is unknown whether those affected have been informed that their personal data was exposed.

About The Author