Cybersecurity Researcher Jeremiah Fowler identified an unencrypted, non-password-protected database containing 170,360 records. 

The database appears to belong to Income Property Investments; however, it is unknown if the organization owns and manages the database directly or if a third-party contractor does so. Furthermore, it is unknown how long the database was exposed, or if any malicious actor gained access to it. 

Income Property Investments possesses a multi-state portfolio that includes apartment complexes, townhomes, single-family homes, hotels and commercial buildings. Most exposed documents observed by Fowler involved hotel-related information, but some were associated with residential housing. 

The data exposed includes: 

• Spreadsheets with motel employee information (including names, dates of birth, addresses, email addresses, and Social Security Numbers) as well as termination and emotion letters 
• Inspection reports
• Receipts, petty cash statements and expense reports (some featured the payment card type and last four digits)
• Police reports, including guest and hotel employee arrest information
• Image of property damage
• Documentation of guest or employee accidents, including images and video 
• Proof of sickness documentation 

The exposure of personally identifiable information (PII) — like names, birth dates, or Social Security Numbers — could leave individuals at risk of credit fraud, tax fraud, identity theft, or unauthorized access of their personal accounts.