Legacy Systems Were Wide Open

A property management company discovered that legacy systems containing 8 years of tenant data were publicly accessible. See what Discovero's assessment revealed.

Book Your Assessment

The Challenge

What We Were Up Against

A Central European property management company handling residential and commercial properties engaged Discovero for their first external security assessment. They were preparing for ISO 27001 certification and needed documented evidence of vulnerability management.

Their IT infrastructure had grown organically over a decade, with multiple property management systems, tenant portals, and internal tools acquired through company mergers.

What Discovero Found

Assessment Results

20+

caseStudies.property.metrics.

Key Findings

Legacy Property Management System Exposed (CVSS 8.6)

An old property management application (decommissioned in 2021) was still running and publicly accessible. It contained tenant personal data including names, addresses, phone numbers, and rental agreements going back to 2016. The application used default credentials for admin access.

SQL Injection in Tenant Portal (CVSS 8.1)

The current tenant self-service portal was vulnerable to SQL injection through the login form's password reset function. This could allow an attacker to extract the entire tenant database including personal information and payment records.

Unencrypted Email Services (CVSS 6.8)

The company's mail server accepted connections over unencrypted IMAP and POP3 protocols. Tenant communications, maintenance requests, and internal property management emails were transmitted in plaintext.

Debug Endpoints Leaking Configuration (CVSS 5.5)

A Next.js application had development debug endpoints accessible in production, exposing environment variables including database connection strings and API keys for third-party property listing services.

The Impact

What Could Have Happened

Scenario	Estimated Impact
GDPR data breach notification + fines	EUR 100,000 – 500,000
Tenant data theft + lawsuits	EUR 200,000 – 1,000,000
Reputation damage + tenant churn	EUR 150,000 – 400,000
Discovero assessment	EUR 2,900

The legacy system exposure alone could have triggered mandatory GDPR breach notification — affecting hundreds of current and former tenants.

The Outcome

What Was Done

The legacy property management system was immediately taken offline and its data securely migrated.
SQL injection in the tenant portal was patched within 48 hours.
Email services were reconfigured to enforce TLS encryption.
Debug endpoints were removed from production deployment.
The assessment report was used directly as evidence for their ISO 27001 certification audit.

Key Takeaway

When companies grow through mergers, old systems get forgotten but not decommissioned. This property company had 8 years of tenant data sitting on a publicly accessible server with default credentials.

Want to Know What's Hiding in
Your Attack Surface?

No agents. No credentials. Just your domain. First results in 48 hours.

Book a Free Consultation See Pricing