The Target: Cloud customer relationship management (CRM) software provider Really Simple Systems.
The Take: Personally identifiable information (PII), including medical records, identification documents, real estate contracts, credit reports, legal documents, tax documents, and non-disclosure agreements.
The Vector: Cybersecurity Researcher, Jeremiah Fowler, discovered and promptly notified Really Simple Systems about a non-password-protected database that contained over 3 million records. The documents appeared to be associated with internal invoices, communications, and customer’s stored CRM files.
While some immediate corrective actions were implemented, specific folders remained open for an extended duration before their access was limited. This incident highlights the pressing requirement for strong password encryption measures to protect customer data and thwart unauthorized access to sensitive information.