Data leak: CRM provider Really Simple Systems has lost 3 million customer records.

Provider of customer relationship management (CRM) systems - Really Simple Systems experienced a data security issue that resulted in more than 3 million customer records being accessible to the public without password or authentication.

The information was stored in an unsecured database, which was discovered by cybersecurity researcher Jeremiah Fowler of vpnMentor. Fowler only had access to a limited sample of the data, but the sample was enough to establish that the leak affected documents from multiple organizations of various industries and sizes. Most of them are well-known high profile organizations in the EU, US, UK and''Australia.

Fowler noted that many of the leaks could be classified as "highly sensitive" because they exposed personally identifiable information (PII). This data was publicly available to anyone with an internet connection. Among the leaks were internal communications and invoices, as well as customer CRM files containing valuable user information such as names, phone numbers, addresses, email IDs and payment data.

Additional investigation revealed that the database also contained medical records, real estate contracts, identification documents, credit reports, disability applications, tax and legal documents, and non-disclosure agreements.

What's more, the database revealed numerous templates of internal documents belonging to Really Simple Systems that contained billing data, letters, invoices, service agreements, etc. One such template pertained to an educational platform offering school management services.

After discovering the database, Fowler sent a notice of responsible disclosure. At Fowler's request, the folder containing the educational platform information was removed from public access on the same day, in''notified of the incident and asked to monitor their credit reports and change their passwords.