While the email practices of the Democrats and the Clinton camp are grabbing all the headlines recently, Republican presidential candidate Donald Trump has some cringeworthy email practices of his own.
A computer security researcher looked into the servers associated with Trump’s business and its several arms, including its golf resorts, hotels, and real estate brokerage. The Trump Organization’s corporate servers, he discovered, run long outdated software and lack basic security measures.
Get Data Sheet, Fortune’s technology newsletter.
Kevin Beaumont, the researcher who posted his findings on Twitter on Monday, tells Fortune he decided to investigate that matter since email servers and cybersecurity were such a big issues during the campaign.
“I decided to Google ‘trump email address’ to see what their systems looked like,” he explains via email. “I did not see what I expected.”
Beaumont dug into the public records to find that the email servers use Microsoft (MSFT) Windows 2003 alongside old server management software from Microsoft called Internet Information Server 6. He also found that the servers are accessible on the public Internet via Outlook Web Access, do not employ two-factor authentication (which requires a secondary login code), have no mobile device management option, and do not receive security patches.
Microsoft deprecated support for Windows 2003 in July 2015, meaning that the company no longer maintains the code nor pushes fixes out for the software. That leaves servers running the more than a decade-old version of Windows open to attackers and spies.
https://twitter.com/GossiTheDog/status/788148795716542464
Knocking Clinton for her email practices has been a common refrain for Trump and his supporters throughout the election season. They have hammered on her for using a private email server during her stint as Secretary of State, and have pored over the leaked documents and messages spilling out of hacked organizations and officials like the Democratic National Committee and Clinton campaign chairman John Podesta through vigilante publishers like WikiLeaks.
For more on Donald Trump, watch:
Time, budget constraints, and other business priorities can lead organizations to continue using old, buggy software, like Windows 2003, which has reached what techies call “end of life.” A June survey of corporate servers from the IT social network Spiceworks found that most companies—53%—still run an instance of Windows 2003 in their server rooms.
Given the nature of the 2016 presidential race and Trump’s talking points, the finding is more than a little ironic. “When you’re making a big deal in an election campaign about email security and you own a billion dollar business, you shouldn’t do that,” Beaumont says referring to running Windows 2003 on email servers within one’s organization. “You need to have the basics in place.”
Beaumont says that he did not pry any deeper into the Trump Organization’s systems than what was publicly available online. “They may already be hacked,” he adds. “It depends if anybody had any interest.”
A spokesperson for the Trump Organization sent Fortune a statement that did not mention the outdated software, saying, “The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”
Update 10/18/16: Post updated to include a statement provided by the Trump Organization.
