Motel 6 customer, employee data exposed on investment firm’s server
A real estate investment firm left more than 170,000 private records unprotected on an unsecure server, exposing the personal information of customers and employees at properties such as Motel 6, Straight Arrow News learned. The database contained information such as names, dates of birth, physical addresses and Social Security numbers.
The database, according to a report written by cybersecurity researcher Jeremiah Fowler and co-published on Website Planet, appears to belong to the California-based company Income Property Investments Inc., which specializes in real estate investment and management.
After Fowler notified the company about the exposed data, he said, the server was secured the same day with no acknowledgement. Additionally, while the files appear to belong to Income Property Investments, it is unclear whether the company or a third party managed the server.
Such an exposure, if discovered by malicious parties, could help cybercriminals carry out an assortment of crimes, including identity fraud.
Personally identifiable information
Among the 170,360 records, most relate to an unknown number of hotel companies across the nation. Private employee information, property inspection reports, eviction notices, employee termination letters and expense reports are present in the dataset.
A spreadsheet from the server shown to SAN, which was redacted to protect personally identifiable information, contained the names, home addresses, dates of birth and Social Security numbers of “new hires” at apartment complexes in multiple states.
Other files include police reports on arrests of both guests and hotel employees, some of which contain surveillance footage.
Screenshots from the videos, which were modified to conceal identities, reveal what appears to be a physical altercation involving a police officer as well as customers who, according to Fowler, were purportedly injured from falls. Another image shows an individual leaping over a property’s front desk.
A “confidential” employee discipline form in the files details allegations that a hotel employee “was on the floor sleeping” behind the “front desk area.” A separate incident report from a hotel employee recounts the stabbing of a guest, who was taken to a hospital by ambulance.
Medical information in the dataset, including positive COVID-19 tests from employees, exposes names and dates of birth as well.
“This is one of the more interesting discoveries I have seen in several years,” Fowler, the cybersecurity researcher, said, “as the exposed database appears to contain a wide range of documents and information about motel guests, employee conflicts, surveillance videos, images and much more.”
No comment
Income Property Investments did not respond to SAN’s request for comment. It’s unknown how long the server was vulnerable and whether it was accessed by unauthorized parties before Fowler’s discovery.
On its website, the company said its “diversified, multi-state portfolio” includes hotels, apartment complexes, commercial buildings, townhomes and single-family homes.
Motel 6 also did not respond to questions from SAN about its relationship to Income Property Investments or whether it was aware of the data breach. The private equity firm Blackstone sold Motel 6 in December 2024 for $525 million to the India-based hotel operator Oyo.
It is not clear whether individuals were notified their personal data was compromised.
SAN also tried to contact several email addresses and telephone numbers in the exposed data but received no response.
Ella Rae Greene, Editor In Chief
