Canadian Property Management Company Exposed 1.2 Million Tenant Records
Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a leak of over 1 million tenant records by a property management company. Here are his findings:
In June 2020 I discovered a dataset that contained detailed information on property renters, visitors, commercials leases, and much more. Upon further investigation, it appeared to be the internal records of a large property management organization. The records all made references to Midwest Property Management. Located in Edmonton, Alberta Midwest Property Management is the largest privately held residential rental property holder in Alberta and the Northwest Territories.
Once I was able to validate who owned the database, I immediately sent a responsible disclosure notice by email to key individuals or senior leadership alerting them to the exposure. Next, I validated several email addresses of individuals located in the “tenant” folder and was able to match names with those located in the exposed records.
The deeper I explored the publicly accessible data the more clear it became of just how sensitive these records were. This was one of the largest collections of personally identifiable information (PII) that I have seen in a long time in plain text and no encryption. It is always a race against the clock to notify the data owner before the data is targeted by ransomware, stolen by cybercriminals, or erased by the new Meow Bot. Luckily, public access was restricted within hours of my notification.
It is unclear who else may have gained access to the records or how long they may have been accessible to anyone with an internet connection. I was able to analyze a large sampling of records for verification purposes and could see detailed records of everything from repair requests to
Here is what I discovered that included the following:
- The database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 1.2 million Total Records Publicly Exposed
- Client / Tenant and Visitors names, emails, addresses, phone numbers, and more
- Folders named: Account, BFBudget, Commercial Lease, GuestCard, Resident
Security, Unit, Vehicle, Vendor, WorkOrder
- Database at risk for ransomware (there was no evidence of automated ransomware)
- Middleware and build information that could allow for a secondary path for malware.
- IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.
How This Data Could Be Abused?
I am not implying any tenants are at risk, but hypothetically the real danger here would be a targeted phishing campaign against tenants. Anytime there is a position of trust there is a possibility of social engineering. For example, if a Cyber Criminal had all of the internal information needed to pretend to be an agent or employee they could request Tax IDs, payment, or banking information. This could lead to potential identity theft or other crimes. Why would you not believe a person contacting you who knows and can verify all of your account data?
According to Midwest Property Management’s Linkedin profile:
“Midwest Property Management has been serving Western Canada since 1954. We are located in Edmonton, Calgary, Red Deer, Medicine Hat, Yellowknife, and Vancouver. We are committed to providing the best value and quality in rental accommodation for our residents. We have become a leader in our industry by consistently maintaining our properties and delivering excellent customer service.”.
As a security researcher, I have seen so many cases where organic businesses have to go digital with their records or CRM systems and unfortunately expose data along the way. In today’s world, the data that organizations collect is just as valuable as the products or services they provide. This is yet another wakeup call that companies who operate primarily offline must do more to protect the data they collect and store.
No one from Midwest Property Management (rentmidwest.com) ever replied to my initial responsible disclosure notice on June 19th or a follow-up request on June 29th. We have not received a statement at the time of publication. It is unclear if they notified the exposed individuals or the authorities regarding the data exposure as required under the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”).
On June 2015, the Digital Privacy Act amended PIPEDA to include breach notification requirements. The Act defines a “breach of security safeguards” as a loss or unauthorized access or disclosure of personal information resulting from a breach of the organization’s security safeguards and requires mandatory reporting.