This top CRM provider left millions of client files exposed online
Sensitive information was sitting in an unprotected database
A global CRM provider kept a major client database sitting unprotected on the public web, available to anyone who knew where to look, new research has claimed.
The database contained hundreds of thousands of records, many of which were personally identifiable and sensitive information that could have been abused in identity theft, phishing, and other forms of cybercrime and digital fraud - although fortunately there doesn't apepar to be any evidence of any wrongdoing, though.
The news was broken by cybersecurity researcher Jeremiah Fowler, who discovered a non-password protected database belonging to Really Simple Systems, which claimed to have some 18,000 users and customers including organizations such as the Royal Academy, the Red Cross, the NHS and IBM.
Social Security Numbers galore
Fowler found all sorts of formats - images, invoices, templates, as well as Really Simple System internal records. In total, there were more than 2.5 million .dat files, more than 50,000 images, and more than 100,000 invoices carrying customer names, addresses, and CRM plan details. Furthermore, the database held people’s medical records, identification documents, real estate contracts, credit reports, legal documents, tax documents, non-disclosure agreements, and even disability claims, all of which showed SSN and tax identification numbers.
“One of the client folders contained a large collection of child psychological examination documents marked as confidential,” Fowler said.
The companies whose data was being kept in this database were located in multiple countries around the world, including the US, UK, Australia, multiple EU countries, and more.
Soon after discovering the database, Fowler reached out to the company, who took a few days but closed the access, eventually. There is no evidence of any threat actors accessing the database in the past. Really Simple System said it reached out to affected clients with relevant information.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- Major data breach exposes database of 200 million users
- Here's a list of the best firewalls today
- These are the best endpoint protection software right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.