Global CRM provider exposed millions of clients’ files online

Oct. 4, 2023
Medical records, identification documents, credit reports, legal documents, and tax documents, among others exposed in U.S., UK, Australia and across the EU

Note: Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained over 3 million records. The documents appeared to be associated with internal invoices, communications, and customer’s stored CRM files.

Upon further research, records indicated that the database belonged to global B2B CRM provider Really Simple Systems. Cloud-based customer relationship management systems allow a business or another organization to manage interactions with customers, store documents or other important business data, and allow them to access it from anywhere. The database contained hundreds of folders, and most of them appeared to hold documents related to individual companies and their customers. Other folders contained shared images, invoices, templates, and other Really Simple Systems internal records. Among other documents, the database contained 2,565,602.dat files, 50,242 image files, and 101,290 invoices that may expose the customers’ name, address, and CRM plan details. There were many other types of file extensions and these represent the top three most common files in the database.

In a limited sampling, I saw an incredibly wide range of documents, which belonged to different kinds of organizations, from small businesses to global well-known organizations. I saw information from companies and customers located in the USA, UK, Australia, multiple EU countries, and more. Notably, a vast majority of these records could be considered highly sensitive, as they exposed personally identifiable information (PII). Some of the most potentially sensitive files I saw were medical records, identification documents, real estate contracts, credit reports, legal documents, tax documents, non-disclosure agreements, and even disability claims, all of which showed SSN and tax identification numbers. One of the client folders contained a large collection of child psychological examination documents marked as confidential. I also saw plenty of internal document templates that are believed to be associated with Really Simple Systems and their users including emails, billing data and invoices, service agreements, and more.

The records inside the database were publicly accessible to anyone with an internet connection. Upon discovering the exposure, I sent a responsible disclosure notice and received a reply thanking me for the notification. One folder specifically belonging to a managed educational platform that provides educational and school management services was removed from public access the same day. However, other folders remained accessible for several days before being restricted. After sending a follow-up email, I received the following message: “As of Tuesday 29th August, we, at the CRM Success Team, understand that: Further settings changes / code changes are being applied to further resolve, over the next few days. The relevant company directors and gdpr officers have been notified, by the development manager”.

I cannot say how long the data was exposed nor if anybody else accessed it before Really Simple Systems restricted access. I also imply no wrongdoing or malicious activity that led to the data exposure.

According to Wikipedia, “Really Simple Systems CRM has over 18,000 users of its hosted customer relationship management systems. Customers include the Royal Academy, the Red Cross, the NHS and IBM as well as thousands of small and medium-sized companies”.

There were millions of diverse documents in the database belonging to Really Simple Systems and their customers. As an ethical security researcher, I never download the data I find. These screenshots represent an example of a small portion of the exposed documents that I saw in the database.

Many Documents From Many Different Companies All In One Place

A Customer Relationship Management (CRM) data breach can have potentially serious consequences for both businesses and individuals. CRM systems store a wealth of sensitive business data as well as a large amount of personal and confidential customer data, including names, addresses, multiple contact information, business records, and other important files used in daily business operations. This makes CRM systems an attractive potential target for cybercriminals. The majority of the files in the database were.dat files. This is a generic data file that contains information in plain text or binary format. The term "dat" stands for "data," and these files can store a wide variety of data. Additionally, there were PDF documents, and image files in PNG and jpg formats.

With over 100,000 exposed invoices, this situation highlights the vulnerability that can allow anyone with an internet connection to see who are Really Simple System’s customers, how much they are spending, their storage plans, account numbers, and other information that was not intended to be public. This could potentially allow criminals to manipulate or send fraudulent invoices to the customers of Really Simple Systems. The criminals could change payment details, and redirect funds to their accounts. Invoice fraud is a serious concern; in 2022, Forbes reported that among the 2,750 surveyed businesses, more than 34,000 cases of invoice fraud were found in a single year.

Other potential risks include targeted phishing attacks where criminals could send convincing phishing emails using insider information from the exposed database to target employees, clients, or vendors. They could hypothetically impersonate the company using Really Simple Systems services and instruct recipients to click on malicious links or malware. Attacks, where criminals impersonate company employees or clients, can also potentially open the door to unauthorized access to additional internal systems or resources. This highly increases the likelihood of success, as the emails appear more legitimate to recipients and contain information that only official company representatives would know.

I saw a very large number of documents in multiple folders inside the publicly exposed database that contained tax identification numbers or SSNs. In the wrong hands, this information could potentially be used for financial fraud or identity theft. For instance, a common tactic for criminals is to use stolen information to file false tax returns and attempt to claim refunds that don't belong to them, thus creating a very difficult situation for the individual whose information was used. According to the IRS, in 2023 the US tax agency found that nearly 1.1 million tax returns were potentially fraudulent. The estimated total value of the fraudulent returns was nearly $6.3 billion.

I am highlighting the importance of security, rather than implying any wrongdoing by Really Simple Systems or saying that their customers or the customer's clientele were ever in imminent risk. I am only stating the facts of potential vulnerabilities and their implications, and describing the hypothetical real-world impact and potential risks of a CRM data breach. We publish our findings for educational purposes and to raise awareness of cyber security and best practices. I highly recommend that any company that collects and stores records, documents, or other files on behalf of other businesses conduct regular penetration testing and ensure the firewall is properly configured to restrict public access. It is crucial to implement robust cybersecurity measures, such as encryption, access controls, regular security audits, employee training, intrusion detection systems, and incident response plans.

If an individual's personal information has been exposed in a data breach, there are several steps they should take to protect themselves and mitigate potential risks. Being proactive is important to identify any attempts to use your identity or personal information. We recommend you monitor your credit report from major credit bureaus (Experian, Equifax, TransUnion) to check for any unusual activity, such as new accounts opened in your name. You should also review your bank and credit card statements regularly, checking for any suspicious or unauthorized transactions. Report any discrepancies to your financial institution immediately.

Finally, beware of phishing scams and understand that criminals may try to use information from a data breach to trick potential victims into revealing more personal or financial data. As a general rule, you should always verify the authenticity of emails or messages before clicking on any links or providing information. If you believe your data was exposed in a data breach, stay informed about any news or developments related to the breach from the company that leaked the data, news media, or authorities.

About the author: Jeremiah Fowler is Cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery.

Jeremiah finds and reports data breaches and vulnerabilities. He identifies real world examples of how exposed data can be a much bigger risk to personal privacy. Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world.

Jeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries. After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen. What started as digital treasure hunting quickly became more than a hobby. He quickly became a well known security researcher and thought leader frequently appearing in the news.

He has been a keynote speaker at multiple security conferences and has given lectures and webinars to startups and Fortune 100 companies on the topics of cyber security, privacy, and data protection. 

About the Author

Jeremiah Fowler | Cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery.

Cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery.

Jeremiah finds and reports data breaches and vulnerabilities. He identifies real world examples of how exposed data can be a much bigger risk to personal privacy. Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world.

Jeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries. After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen. What started as digital treasure hunting quickly became more than a hobby. He quickly became a well known security researcher and thought leader frequently appearing in the news.

He has been a keynote speaker at multiple security conferences and has given lectures and webinars to startups and Fortune 100 companies on the topics of cyber security, privacy, and data protection. Jeremiah lives by the saying "Do what you love, and you will always love what you do"