Unprotected Database Left 3 Million Records Exposed
This company is a global player in the field of Customer Relationship Management (CRM) solutions. Their cloud-based CRM systems are designed to assist organizations in managing customer interactions, storing critical documents, and ensuring seamless access to data from anywhere in the world. However, the discovery revealed that part of the company’s database was left unprotected, exposing over 3 million of records that could potentially have devastating consequences.
Fowler’s investigation revealed that the company’s database, containing a staggering three million records, was left unsecured. These records included internal documents, communications, and files stored within their CRM systems. This lapse in security had severe implications, as it left sensitive business and customer information exposed to the world.
What Kind of Data Where Held in the Database
The exposed database was a virtual treasure trove, comprising numerous folders housing a diverse range of documents. Most of these documents pertained to individual companies and their respective customers. The database also contained shared images, invoices, templates, and other internal records of Really Simple Systems. Among these documents, there were over 2.5 million .dat files, 50,000 image files, and over 100,000 invoices. This vast collection potentially revealed customer names, addresses, and details about their CRM plans. Other file types such as images of passports and driver’s licenses were also present, but these were the most common.
The contents of this database were far from homogenous. Fowler’s investigation unveiled a wide array of documents originating from various organizations, ranging from small businesses to globally renowned institutions. These documents represented entities located in diverse regions, including the United States, the United Kingdom, Australia, and multiple European countries. Significantly, the majority of these records contained sensitive information, including personally identifiable data (PII).
Some of the most concerning files included medical records, identification documents, real estate contracts, credit reports, legal documents, tax records, non-disclosure agreements, and even disability claims. Shockingly, these files often contained Social Security Numbers (SSNs) and tax identification numbers, elevating the risk of identity theft and financial fraud. Furthermore, one folder contained a large number of confidential child psychological examination documents, further highlighting the severity of the exposure.
Perhaps the most alarming aspect of this discovery was the fact that these records were accessible to anyone with an internet connection. The absence of basic security measures meant that sensitive data was effectively in the public domain.
Responsible Disclosure From the Researcher
Fowler acted responsibly and promptly by notifying Really Simple Systems about the exposure. While some folders were restricted immediately, others remained accessible for several days. After a follow-up email, the company assured that they were taking steps to address the issue.
This data exposure had the potential to lead to various risks. Criminals could exploit the situation by manipulating invoices, redirecting funds, or conducting targeted phishing attacks.
The combination of insider information and the ability to impersonate company representatives increased the likelihood of successful cyberattacks, posing serious concerns. Fowler emphasized the critical importance of cybersecurity measures, including encryption, access controls, employee training, and regular security audits. For companies entrusted with sensitive data, it is imperative to prioritize security and take proactive steps to safeguard this information.
Fowler’s discovery raises serious concerns about data security in the digital age. The exposure of sensitive information underscores the need for robust cybersecurity practices to protect both businesses and individuals from the ever-present threat of data breaches.