In a recent discovery, cybersecurity researcher Jeremiah Fowler uncovered a significant data breach exposing over 3 million records. The breach involved a non-password protected database associated with global B2B CRM provider Really Simple Systems, potentially compromising sensitive information from various organizations, VPNmentor report said.
The exposed documents included internal invoices, communications, customer CRM files, and more. The database consisted of hundreds of folders containing documents related to individual companies and their customers. Shockingly, the records exposed personal details such as customers’ names, addresses, and CRM plan information, making them highly sensitive.
Analysis of the database revealed a diverse range of files, including medical records, identification documents, real estate contracts, credit reports, legal documents, tax documents, non-disclosure agreements, and even disability claims, all revealing sensitive information like Social Security Numbers (SSNs) and tax identification numbers. Disturbingly, the cyber security breach included confidential child psychological examination documents.
Moreover, the database contained internal document templates, email exchanges, billing data, service agreements, and more, shedding light on the severity of the breach and the potential misuse of this sensitive information.
Worryingly, the records within the database were easily accessible to anyone with an internet connection, highlighting a significant security oversight by Really Simple Systems. Jeremiah Fowler acted responsibly, promptly notifying the company about the breach and the public exposure of sensitive information.
Although some corrective measures were taken promptly, certain folders remained accessible for an extended period before being restricted. The incident underscores the urgent need for robust cybersecurity measures to safeguard customer data and prevent unauthorized access to sensitive information.
According to Wikipedia, “Really Simple Systems CRM has over 18,000 users of its hosted customer relationship management systems. Customers include the Royal Academy, the Red Cross, the NHS and IBM as well as thousands of small and medium sized companies.”
Customer Relationship Management (CRM) systems store a wealth of sensitive business data as well as a large amount of personal and confidential customer data, including names, addresses, multiple contact information, business records, and other important files used in daily business operations. This makes CRM systems an attractive potential target for cybercriminals.
With over 100,000 exposed invoices, this situation highlights the vulnerability that can allow anyone with an internet connection to see who are Really Simple System’s customers, how much they are spending, their storage plans, account numbers, and other information that was not intended to be public.
This could potentially allow criminals to manipulate or send fraudulent invoices to the customers of Really Simple Systems. The criminals could change payment details, and redirect funds to their own accounts. Invoice fraud is a serious concern; in 2022, Forbes reported that among the 2,750 surveyed businesses, more than 34,000 cases of invoice fraud were found in a single year.
According to the IRS, in 2023 the US tax agency US tax agency found that nearly 1.1 million tax returns were potentially fraudulent. The estimated total value of the fraudulent returns was nearly $6.3 billion.