In June 2020, I discovered a large amount of records that contained detailed information on property renters, visitors, commercials leases, and much more. Upon further research it was clear that this was some type of rental agency or property management company. The records appear to belong to Midwest Property Management. Located in Edmonton, Alberta Midwest Property Management is the largest privately held residential rental property holder in Alberta and the Northwest Territories.
Once I was able to validate who owned the database, I immediately sent a responsible disclosure notice by email to key individuals or senior leadership alerting them to the exposure. Next, I validated several email addresses of individuals located in the “tenant” folder and was able to match names with those located in the exposed records. Public access was restricted shortly after I sent the notice.
This was one of the largest collections of personally identifiable information (PII) that I have seen in awhile and the records were in plain text and nothing appeared to be encrypted.
Here is was was discovered:
- The database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 1.2 million Total Records Publicly Exposed
- Client / Tenant and Visitors names, emails, addresses, phone numbers, and more
- Folders named: Account, BFBudget, Commercial Lease, GuestCard, Resident
Security, Unit, Vehicle, Vendor, WorkOrder
- Database at risk for ransomware (there was no evidence of automated ransomware)
- Middleware and build information that could allow for a secondary path for malware.
- IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.
It is unclear who else may have gained access to the records or how long they may have been accessible to anyone with an internet connection. I was able to analyze a large sampling of records for verification purposes and could see detailed records of everything from repair requests to visitor’s names, vehicle information, and license plate numbers.
The is a wide range of potential threats in this type of exposure. It creates a point of trust where a criminal would have enough information to launch a targeted phishing attack in an attempt to obtain banking or payment information.
A full summary of my discovery can be found on Secure Thoughts.