The following security message was sent to all affected users on January 18th, 2019 via email.
I am writing to notify you about a security issue that involves your OnePageCRM account information. We understand the value of your data and your privacy, and we take the protection of your information very seriously.
On Tuesday (Jan 15th), at 2:30pm GMT, we became aware that a backup copy of our application’s database wasn’t fully secured on a test server. This test server was setup on Jan 7th, 2019 by our engineer specifically to run tests for an upcoming database migration, and regrettably, a human error caused the issue.
Although the incident was contained and ended within minutes from the time we became aware of it, an analysis of our data logs shows that there had been a very limited number of external connections made to this server.
This was not a malicious incident and we have no reason to believe that your data has been misused by any third party.
It’s important to point out that our live database was not exposed and remains secure.
Over the past 9 years, we have worked hard to protect your data security and build your trust. This incident is hugely disappointing for us and we sincerely regret any distress or inconvenience this may cause to you and your business.
What Information Was Involved?
The exposed database was from a backup copy (dated 24th Nov 2018), and the information included;
- User’s name, email address, telephone number
- Organisation details and organisation addresses
- Contact records within an account stored by users
- Integration API keys
No credit card details were exposed or compromised.
What We Are Doing
When we became aware of the possibility of external access, we immediately shut down the test server and took steps to determine the scope of the issue. We are also now consulting with external experts and advisors and as a controller of personal data, we will be reporting this incident to the Data Protection Commission in Ireland.
We have taken the following steps to best protect you, our users:
- We have reset all users API keys, which are used to connect your account to various 3rd parties and our iOS and Android mobile applications.
- We’ve forced-logged out all our OnePageCRM desktop and mobile users. On relaunching your mobile app, you will be asked to re-enter your password. This will then use the new API key.
- We have revoked 3rd party integrations with OnePageCRM to force disconnect integrations with OnePageCRM.
- While we have run detailed penetration tests on our servers by security professionals (most recently in July 2018) this issue was a human error. Consequently, we are reviewing our internal protocols and procedures for test and development servers to prevent any future incidents.
What You Should Do
We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information.
We recommend you:
- Change your password for your OnePageCRM account (and change your password in any other place or app where you have used the same password).
- If you are an iOS mobile app user, please uninstall and reinstall the app.
- If you have 3rd party applications connected to OnePageCRM, please visit our information page on reconnecting 3rd party integrations.
As with usual best practice, you should:
- Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
- Avoid clicking on links or downloading attachments from suspicious emails.
Under EU GDPR rules, if you are a Controller of Personal Data, you have additional obligations, more information here.
For More Information