An Alpine real estate agency, GSI Immobilier, specializes in managing, selling, and renting luxury properties throughout several popular holiday destinations in France’s Savoie region, was storing sensitive customer data on a Microsoft Azure Blob Storage server whose misconfiguration exposed customer files and left over 1000 people potentially at risk of further crimes.
GSI has over 1000 properties on its books and co-owns 350+ complexes throughout winter and summer sports destinations. Across all of its branches, GSI has 48 employees and turns an annual revenue of $8 million.
The leak in question was discovered by Website Planet’s research team. The team sent an initial responsible disclosure of the breach to GSI Immobilier but availed no reply. Following up, the team further went to contact Microsoft Security Center, and after weeks of follow-up, Microsoft informed them that the issue was not their responsibility.
The research team said in their report “Finally, we contacted the French Computer Emergency Response Team (CERT) concerning this breach. The French CERT replied to our message, notifying us they had contacted GSI Immobilier. Unfortunately, GSI never replied to the French CERT.”
We also tried to contact the company (GSI) via the “online chat” feature on their website, but we were told “no thanks” and the chat conversation was terminated.
Eventually, after several attempts, the server has been secured all thanks to the Website Planet’s research team for discovering and reporting the leak despite GSI Immobilier’s neglectfulness.
What Was Leaked
GSI’s Microsoft Azure Blob Storage, which was unprotected without password protection or any encryption providing easy access to anyone who may have found the server and its content.
According to Website Planet, Microsoft Azure Blob Storage contained 1342 files (2GB of data) which featured the sensitive personal data of GSI’s holiday rental customers.
The server contained scanned and photographed booking contracts in the “.pdf” format.
These documents feature booking details along with numerous forms of customer PII:
- Full names; including first names and surnames
- Phone numbers
- Email addresses
- Addresses of customer’s homes and booking locations
- Booking details; including the arrival and departure dates of customers, and the prices paid for each booking
- Customer signatures (in some cases)
- Scanned pictures of signed cheques (in some cases)
Website planet advises affected individuals to “Take necessary steps to minimize the risk of phishing attacks, fraud, scams, and theft. Worried individuals should be extra vigilant when receiving calls, texts, or emails from an unknown source – especially if the caller/messager claims to be a GSI employee.”