In June 2020, I discovered a large amount of records that contained detailed information on property renters, visitors, commercials leases, and much more. Upon further research it was clear that this was some type of rental agency or property management company. The records appear to belong to Midwest Property Management. Located in Edmonton, Alberta Midwest Property Management is the largest privately held residential rental property holder in Alberta and the Northwest Territories.
Once I was able to validate who owned the database, I immediately sent a responsible disclosure notice by email to key individuals or senior leadership alerting them to the exposure. Next, I validated several email addresses of individuals located in the “tenant” folder and was able to match names with those located in the exposed records. Public access was restricted shortly after I sent the notice.
This was one of the largest collections of personally identifiable information (PII) that I have seen in awhile and the records were in plain text and nothing appeared to be encrypted.
It is unclear who else may have gained access to the records or how long they may have been accessible to anyone with an internet connection. I was able to analyze a large sampling of records for verification purposes and could see detailed records of everything from repair requests to visitor’s names, vehicle information, and license plate numbers.
The is a wide range of potential threats in this type of exposure. It creates a point of trust where a criminal would have enough information to launch a targeted phishing attack in an attempt to obtain banking or payment information.
A full summary of my discovery can be found on Secure Thoughts.
Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform. Protect your business proactively - get in touch today for personalized digital security solutions.