A global CRM provider kept a vast customer database unprotected on the public Internet, available to anyone who knew where to look, new research shows.
The database contained hundreds of thousands of records, much of which was personally identifiable and sensitive information that could have been misused in identity theft, phishing and other forms of cybercrime and digital fraud – although fortunately there appears to be no evidence of any of this. any wrongdoing.
The news was announced by a cybersecurity researcher Jeremiah Fowlerwho discovered a non-password-protected database belonging to Real Simple Systems, which claimed to have around 18,000 users and customers, including organizations such as the Royal Academy, the Red Cross, the NHS and IBM.
Social Security numbers galore
Fowler found all kinds of formats: images, invoices, templates, and internal records of the Real Simple System. In total there were more than 2.5 million .dat files, more than 50,000 images and more than 100,000 invoices containing customer names, addresses and CRM plan details. Additionally, the database contained people’s medical records, identification documents, real estate contracts, credit reports, legal documents, tax documents, non-disclosure agreements, and even disability claims, all of which contained SSN and tax identification numbers.
“One of the client folders contained a large collection of child psychology research documents that were marked confidential,” Fowler said.
The companies whose data was held in this database were located in multiple countries around the world, including the US, UK, Australia, multiple EU countries and more.
Shortly after discovering the database, Fowler contacted the company, which took a few days but eventually closed access. There is no evidence that threat actors have gained access to the database in the past. Truly Simple System said it has contacted affected customers with relevant information.