This top CRM provider left millions of client files exposed online

News
By Sead Fadilpašić
published

Sensitive information was sitting in an unprotected database

An abstract image of a database
(Image credit: Image Credit: Pixabay)

A global CRM provider kept a major client database sitting unprotected on the public web, available to anyone who knew where to look, new research has claimed.

The database contained hundreds of thousands of records, many of which were personally identifiable and sensitive information that could have been abused in identity theft, phishing, and other forms of cybercrime and digital fraud - although fortunately there doesn't apepar to be any evidence of any wrongdoing, though.

The news was broken by cybersecurity researcher Jeremiah Fowler, who discovered a non-password protected database belonging to Really Simple Systems, which claimed to have some 18,000 users and customers including organizations such as the Royal Academy, the Red Cross, the NHS and IBM.

Social Security Numbers galore

Fowler found all sorts of formats - images, invoices, templates, as well as Really Simple System internal records. In total, there were more than 2.5 million .dat files, more than 50,000 images, and more than 100,000 invoices carrying customer names, addresses, and CRM plan details. Furthermore, the database held people’s medical records, identification documents, real estate contracts, credit reports, legal documents, tax documents, non-disclosure agreements, and even disability claims, all of which showed SSN and tax identification numbers. 

“One of the client folders contained a large collection of child psychological examination documents marked as confidential,” Fowler said. 

The companies whose data was being kept in this database were located in multiple countries around the world, including the US, UK, Australia, multiple EU countries, and more.

Soon after discovering the database, Fowler reached out to the company, who took a few days but closed the access, eventually. There is no evidence of any threat actors accessing the database in the past. Really Simple System said it reached out to affected clients with relevant information.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.