This top CRM provider left millions of client files exposed online

An abstract image of a database
(Image credit: Image Credit: Pixabay)

A global CRM provider kept a major client database sitting unprotected on the public web, available to anyone who knew where to look, new research has claimed.

The database contained hundreds of thousands of records, many of which were personally identifiable and sensitive information that could have been abused in identity theft, phishing, and other forms of cybercrime and digital fraud - although fortunately there doesn't apepar to be any evidence of any wrongdoing, though.

The news was broken by cybersecurity researcher Jeremiah Fowler, who discovered a non-password protected database belonging to Really Simple Systems, which claimed to have some 18,000 users and customers including organizations such as the Royal Academy, the Red Cross, the NHS and IBM.

Social Security Numbers galore

Fowler found all sorts of formats - images, invoices, templates, as well as Really Simple System internal records. In total, there were more than 2.5 million .dat files, more than 50,000 images, and more than 100,000 invoices carrying customer names, addresses, and CRM plan details. Furthermore, the database held people’s medical records, identification documents, real estate contracts, credit reports, legal documents, tax documents, non-disclosure agreements, and even disability claims, all of which showed SSN and tax identification numbers. 

“One of the client folders contained a large collection of child psychological examination documents marked as confidential,” Fowler said. 

The companies whose data was being kept in this database were located in multiple countries around the world, including the US, UK, Australia, multiple EU countries, and more.

Soon after discovering the database, Fowler reached out to the company, who took a few days but closed the access, eventually. There is no evidence of any threat actors accessing the database in the past. Really Simple System said it reached out to affected clients with relevant information.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
healthcare
Over a million clinical records exposed in data breach
Data leak
Popular online bill paying site leaks data of thousands of users
Data Breach
Thousands of healthcare records exposed online, including private patient information
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
Data leak
Top collectibles site leaks personal data of nearly a million users
Latest in Security
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Latest in News
Pro-Ject A1.2 in black, playing a vinyl record in a hi-fi listening room
Pro-Ject's new fully-automatic turntable could be the buy of Record Store Day 2025
Intergalactic: The Heretic Prophet
Intergalactic: The Heretic Prophet reportedly won't release until after 2026, as Neil Druckmann says that staff 'are playing it at the office' right now - but I don't think I can wait that long
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'
Kindle de Amazon
The latest Kindle update finally fixes page turning – and adds the perfect reading tool for my sieve-like brain
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons