Screened and Exposed: Platform Glitch Reveals Tenant Credit Files

The Challenge

In April 2025, Crescent Properties, a real estate firm specializing in mid-sized residential communities, uncovered a critical data privacy lapse that exposed sensitive tenant information. A property manager using NovaScreen Solutions, a third-party tenant screening portal, accidentally discovered that by modifying characters in the web address of one application, they could access credit reports from unrelated tenants. This flaw allowed unrestricted browsing between private records without any authentication.

Within hours, a test confirmed that dozens of credit files were accessible in this manner. These documents contained social insurance numbers, full credit histories, employment details, and rental backgrounds. The issue stemmed from a recently launched URL-based feature that bypassed secure session validation. The vendor had failed to run a thorough security test prior to release, and Crescent had not conducted any penetration testing of the new system.

Public exposure followed when concerned tenants voiced complaints on social media, prompting immediate regulatory scrutiny. The firm had no active data breach response plan and struggled to determine the scope of the exposure. The vendor’s support team was unprepared for a coordinated crisis response, and communications between Crescent, the platform provider, and affected tenants became strained.

Our Solution

We were brought in to guide Crescent through incident containment, communication, and systemic remediation. The first priority was to shut down the vulnerable URL system and isolate access to the platform. We supported the vendor in conducting a complete code review and implemented strict access controls for all application views.

Our team worked with Crescent to notify all impacted tenants and regulators, following PIPEDA breach reporting guidelines. Free credit monitoring services were offered to those affected. Simultaneously, Crescent’s vendor procurement policy was updated to require security certifications, application security assessments, and annual third-party audits for any platform that handles personal information.

To strengthen internal readiness, we developed a detailed data protection policy and trained Crescent staff on secure platform use. Application onboarding procedures were updated to include authentication checks, data minimization practices, and defined roles for breach accountability.

The Value

Crescent Properties successfully minimized regulatory penalties by acting quickly and transparently. Although trust was temporarily shaken, their decisive response helped rebuild credibility with tenants and partners. The experience catalyzed long-term changes to their platform risk management strategy and established stronger security expectations with technology vendors.

Implementation Roadmap

1. Disable the exposed feature and secure all unauthorized access points

2. Conduct a full audit of the vendor’s code and platform security

3. Notify impacted individuals and regulators in compliance with PIPEDA

4. Revise vendor selection criteria to include cyber and privacy certifications

5. Implement staff training and onboarding controls for data protection

Info Sheet

(Story 8 text included above in the compiled stories)

Info Sheet

Industry Sector: Real Estate and Rental and Leasing

Applicable Legislation:

  • PIPEDA
  • Canadian Software Security Assurance Framework

Necessary Action Type: Platform Security Review and Vendor Governance

Steps to Be Taken:

  • Suspend affected platform and conduct independent code audit
  • Patch vulnerability and confirm authentication implementation
  • Revise vendor evaluation to include security certifications
  • Notify affected users and regulators per PIPEDA breach policy
  • Review all software tools with access to sensitive data

Involved Third Parties:

  • Tenant screening platform vendor
  • External code audit firm
  • Real estate legal compliance team