What happened in the Income Property Investments data breach?

A California-based real estate investment and management company was found to be leaking sensitive information through an internet-exposed database with no password protection. The database contained 170,360 records totaling 116.24GB of data belonging to motel guests, employees, and property operations across multiple states.

Who discovered the data breach?

The data breach was discovered by cybersecurity researcher Jeremiah Fowler, who reported the findings to Website Planet. Fowler sent a responsible disclosure notice to Income Property Investments, and public access was restricted the same day.

What types of sensitive information were exposed?

The exposed data included employee personally identifiable information, Social Security numbers in plain text, police reports with arrest details, surveillance videos, accident documentation, COVID-19 test results, property inspection reports, eviction notices, employee termination letters, financial records, payment card information, and images of property damage.

How many people were affected by this data breach?

The number of individual employees, guests, or customers impacted has not been disclosed. However, the breach affected sensitive information belonging to motel guests, employees, and property operations across multiple states.

How was the data breach resolved?

After cybersecurity researcher Jeremiah Fowler sent a responsible disclosure notice to Income Property Investments, public access to the exposed database was restricted the same day the notification was received.

Has Income Property Investments responded to the breach?

Income Property Investments has not publicly responded to requests for additional comment regarding the data breach. No details have been disclosed about internal forensic audits or whether law enforcement has been notified of the exposure.

What security measures were missing that led to this breach?

The breach was caused by an internet-exposed database that had no password protection, making sensitive data accessible to anyone who could locate the database online. This represents a fundamental failure in basic cybersecurity practices.

What should affected individuals do about this data breach?

While specific guidance from Income Property Investments has not been provided, affected individuals should monitor their credit reports, consider identity theft protection services, and watch for any unauthorized use of their personal information, especially given that Social Security numbers were exposed in plain text.

Incident

Database of Income Property Investments data discovered unprotected, exposing surveillance and employee records

Q: How much data was compromised in the breach?

The breach involved 170,360 records with a total size of 116.24GB. The vast majority of compromised documents were hotel-related, with a smaller portion linked to residential housing operations.

published: June 16, 2025

Learn More

A California-based real estate investment and management company has been found to be leaking sensitive information belonging to motel guests, employees, and property operations across multiple states.

The leak was caused by an internet exposed database with no password protection containing 170,360 records with a total size of 116.24GB. It was discovered by cybersecurity researcher Jeremiah Fowler and reported to Website Planet.

The vast majority of compromised documents were hotel-related, with a smaller portion linked to residential housing operations. The repository appeared to function as an upload storage system designed for hotel staff, management, property managers, and other authorized personnel to transmit documents and information to corporate offices for senior management review.

The exposed database appeared to belong to Income Property Investments Inc., a California-based real estate investment and management company. Exposed data includes:

Employee personally identifiable information (names, addresses, email addresses, dates of birth)
Social Security numbers stored in plain text
Police reports containing arrest details of guests and hotel employees
Surveillance videos and images of incidents involving guests and employees
Documentation of accidents and falls, including visual evidence
Proof of illness documents indicating positive COVID-19 tests and medical issues
Property inspection reports and maintenance documentation
Notices to vacate and eviction proceedings
Employee termination and demotion letters
Petty cash statements and expense reports
Payment card information including last four digits and card types
Images documenting property damage to rooms, common areas, and parking lots

The number of individual employees, guests, or customers impacted has not been disclosed.

Fowler sent a responsible disclosure notice to Income Property Investments, and public access was restricted the same day. It's not clear whether the database was owned and managed directly by Income Property Investments or by a third-party contractor handling data processing services. The duration of the exposure prior to discovery has not been disclosed.

Income Property Investments has not publicly responded to requests for additional comment. No details have been disclosed about whether the company has conducted internal forensic audits to determine if additional access occurred or whether law enforcement has been notified of the exposure.

Database of Income Property Investments data discovered unprotected, exposing surveillance and employee records

Read More
Kairos Ransomware Group Claims 441GB Data Theft from …
Kolkata real estate company hit by ransomware attack
Anywhere Real Estate Data Breach via Oracle EBS …
London Properties reports data breach nearly a year …
Oklahoma City Abstract & Title Co hit by …