Really Simple Systems exposed its database publicly without any password or security authentication.
KEY FINDINGS
- Cybersecurity researcher Jeremiah Fowler discovered an unprotected database belonging to Really Simple Systems.
- The database contained over 3 million records, making countless companies and customers associated with Really Simple Systems vulnerable to diverse online threats.
- Many impacted businesses are located in the UK, USA, EU, and Australia.
- Exposed data includes medical records, credit reports, identification documents, tax documents, legal documents, etc.
A global CRM (customer relationship management) systems provider, Really Simple Systems, has suffered a data security incident in which more than 3 million customer records were exposed to the public without any password or security authentication.
These records were stored in an unprotected database discovered by cybersecurity researcher Jeremiah Fowler of vpnMentor.
Fowler had access to limited sampling, which indicated that a wide range of documents belonging to organizations from different sectors/sizes were part of the leaked database. Most were well-reputed, high-profile organizations, located in EU countries, the USA, the UK, and Australia.
Fowler wrote that most exposed records can be considered ‘highly sensitive’ for exposing PII data (personally identifiable information). These records were publicly accessible to any user with an internet connection.
The exposed data includes internal communications/invoice records and customers’ CRM files containing valuable user data such as names, phone numbers, addresses, email IDs, and payment information.
Further probing revealed that the database also contained medical records, real estate contracts, identification documents, credit reports, disability claims, tax/legal documents, and non-disclosure agreements.
Many of the documents contained Social Security Numbers and tax identification numbers. One of the client folders had a large collection of confidential child psychological assessment files.
Moreover, many internal document templates belonging to Really Simple Systems were part of the database and contained billing data, emails, invoices, service agreements, etc. One of the folders belonged to a managed educational platform offering school management services.
According to Fowler’s report, after discovering the database, he sent a responsible disclosure notice. The school management service’s folder was removed from public access on the same day, whereas other folders remained accessible online for a few more days. Fowler then sent a follow-up email to the CRM solutions provider, in response to which the company stated:
“As of Tuesday 29th August, we, at the CRM Success Team, understand that: Further settings changes/code changes are being applied to further resolve, over the next few days. The relevant company directors and GDPR officers have been notified, by the development manager”.
Real Simple Reason
There’s no clarity over how long this database remained exposed or whether someone accessed it before the company restricted access.
Really Simple Systems has launched an investigation and has improved its security mechanisms to prevent such incidents in the future. Impacted customers have been notified and requested to monitor their credit reports and change passwords.