The PMS (property management system) sits at the centre of day-to-day housing operations. PMSs hold tenants’ personal data, rent and payment records, repair histories, contractor details, communications logs and often some form of access or security data. In many organisations, the PMS also acts as the system of record for decisions and evidence.
That makes it a valuable target – not because attackers are especially interested in housing, but because compromising a PMS is a very efficient way to reach valuable data and disrupt essential services.
PMSs are also rarely isolated. Modern estates depend on integrations with building systems, mobile apps, self-service portals, IoT (Internet of Things) devices, access control platforms, finance systems and third-party suppliers. Each integration expands the attack surface and introduces new failure points.
1. Weak or compromised passwords
Weak authentication remains the easiest path into many environments. Attackers look for any route that lets them log in ‘normally’, because it reduces noise and avoids defensive measures that trigger on overt attack activity.
Common issues include reused passwords across systems, shared accounts, default administrator credentials left in place and poor account lifecycle management. In housing, there is also frequent reliance on supplier access, temporary accounts for contractors and accounts that remain active after role changes.
Credential stuffing is a specific and common risk. If staff reuse passwords and one unrelated service is breached, attackers can test those credentials at scale against your PMS, your Cloud identity provider, your remote access tools and your email. If the PMS is accessible from the internet, or via a portal, the chances of automated login attempts rise sharply.
What this looks like in practice:
- Unexpected logins from new locations or devices.
- Multiple failed login attempts followed by a successful one.
- Access via an old account that should have been disabled.
2. Unpatched or outdated software
Housing estates often include legacy platforms, long-standing integrations and systems that cannot be upgraded quickly due to operational dependencies. Attackers understand this. They actively scan for known vulnerabilities in exposed services and widely used software components.
The risk is not limited to the PMS vendor itself. Supporting services often create the problem: remote access gateways, VPN (virtual private network) appliances, web servers, database platforms, middleware, mobile device management and endpoint software on administrator workstations. If a PMS is Cloud hosted, there is still a shared responsibility model. You may not patch the provider’s infrastructure, but you do own the configuration, identity, endpoints and any integrations you operate.
Two patterns are common:
- Internet-facing systems running vulnerable versions long after patches are available.
- “Hidden” systems that are not treated as critical because they are seen as building technology, not IT.
In practical terms, one unpatched edge device can provide an attacker with initial access, which they can then use to move towards the PMS.
3. Phishing attacks on staff
Phishing is effective because it targets normal behaviour. Housing teams deal with high volumes of urgent and emotionally charged messages: rent queries, repair requests, complaints, change-of-bank-detail notifications, supplier invoices and internal access requests. Attackers copy this context to create believable lures.
Phishing outcomes vary, but the common ones are:
- Staff enter credentials into a spoofed login page.
- A malicious attachment installs malware or steals session tokens.
- An attacker gains access to a mailbox and uses it to pivot internally, reset passwords and target finance processes.
Once an attacker has email access, they can often obtain access to the PMS without exploiting it directly. They can harvest information, impersonate staff, request account changes, or trigger password resets. If the organisation relies on email as a recovery channel, mailbox compromise becomes an identity compromise.
Warning signs include:
- Unusual internal emails requesting urgent actions.
- Login prompts that do not match the usual URL or sign-in flow.
- Unexpected MFA (multifactor authentication) prompts.
4. Insecure integrations and APIs
A PMS often connects to portals, mobile apps and finance and HR tools, as well as document management, data analytics, building systems and supplier platforms. These integrations are often delivered through APIs (application programming interfaces).
APIs are attractive to attackers because they can provide direct access to data and functions. If authentication is weak, tokens are exposed, authorisation checks are missing or rate limiting is absent, an attacker may be able to extract data, enumerate tenants or perform actions without triggering typical security measures.
IoT and building integrations add another layer of risk. Smart meters, door-entry systems, CCTV platforms, sensors and building management systems are frequently managed by third parties and may not meet the same security baseline as other corporate systems. If an integration route exists from those systems into PMS workflows or data stores, attackers can use the weakest linked system to reach the most valuable one.
Typical weaknesses include:
- Over-permissive API keys or service accounts.
- APIs exposed to the internet without adequate controls.
- Poor separation between test and production environments.
- Excessive data returned by API calls.
5. Poor or absent network segmentation
Many incidents escalate because environments are flat. When IoT devices, guest Wi-Fi, operational technology, corporate devices and core systems share the same network space, a single compromise can allow access across the wider environment.
In housing environments, the risk is amplified by the mix of device types and ownership models. There may be contractor devices, unmanaged devices, standalone building systems that have been installed independently, and remote sites with inconsistent controls.
Attackers exploit this complexity, starting with the easiest device to compromise, then moving laterally until they reach privileged systems.
Poor segmentation can also undermine otherwise good controls. Even if the PMS itself is well secured, an attacker with a foothold on the network can target administrators, intercept traffic, exploit internal-only interfaces or attack the identity and management infrastructure that protects the PMS.
Common indicators of segmentation issues:
- Building technology systems can reach corporate servers directly.
- Guest networks can see internal services.
- Administrative interfaces are reachable from general user networks.
The impact of a PMS breach
If any of these routes succeeds, the consequences can be severe. A breach of a PMS can lead to:
- Exposure of sensitive tenant data, including identity data, contact details, rent records and correspondence.
- Fraud risk, including diverted payments and compromised supplier details.
- Disruption to repairs, allocations, rent processing and resident communications.
- Compromise of building access systems if integrations exist with smart locks or entry control.
- Regulatory and contractual consequences, including incident reporting obligations and potential enforcement under the GDPR (General Data Protection Regulation).
- Reputational damage and loss of tenant trust, which is difficult to rebuild and costly to manage.
How we can help you
Penetration testing shows how attackers would actually reach your PMS and what they can do once inside. It also validates whether your controls work in practice, not just on paper.
Our penetration testing services can help you:
- Simulate real-world attack techniques used against PMS platforms.
- Identify vulnerabilities across applications, networks, integrations and user access.
- Test whether IoT and building systems create a route into the PMS.
- Validate patching, access controls and network segmentation.
- Produce clear, prioritised remediation actions for IT and operations teams.
Book a penetration test with GRC Solutions today to uncover vulnerabilities before attackers do. Protect your tenants, your data and your operations.
