If you created a OnePageCRM account after November 24th 2018 this security update does not affect you.

 

What happened?

On Tuesday (Jan 15th), at 2:30pm GMT, we became aware that a backup copy of our application’s database wasn’t fully secured on a test server. This test server was setup on Jan 7th, 2019 by our engineer specifically to run tests for an upcoming database migration, and regrettably, a human error caused the issue.

Although the incident was contained and ended within minutes from the time we became aware of it, an analysis of our data logs shows that there had been a very limited number of external connections made to this server.

This was not a malicious incident and we have no reason to believe that your data has been misused by any third party.

It’s important to point out that our live database was not exposed and remains secure.

Over the past 9 years, we have worked hard to protect your data security and build your trust. This incident is hugely disappointing for us and we sincerely regret any distress or inconvenience this may cause to you and your business.

 

What information was involved?

The exposed database was from a backup copy (dated 24th Nov 2018), and the information included;

  • User’s name, email address, telephone number
  • Organisation details and organisation addresses
  • Contact records within an account stored by users
  • Integration API keys

No credit card details were exposed or compromised.

 

What we are doing

When we became aware of the possibility of external access, we immediately shut down the test server and took steps to determine the scope of the issue. We are also now consulting with external experts and advisors and as a controller of personal data, we will be reporting this incident to the Data Protection Commission in Ireland.

We have taken the following steps to best protect you, our users:

  • We have reset all users API keys, which are used to connect your account to various 3rd parties and our iOS and Android mobile applications.
  • We’ve forced-logged out all our OnePageCRM desktop and mobile users. On relaunching your mobile app, you will be asked to re-enter your password. This will then use the new API key.
  • We have revoked 3rd party integrations with OnePageCRM to force disconnect integrations with OnePageCRM.
  • While we have run detailed penetration tests on our servers by security professionals (most recently in July 2018) this issue was a human error. Consequently, we are reviewing our internal protocols and procedures for test and development servers to prevent any future incidents.

 

What you should do

We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information.

We recommend you:

  • Change your password for your OnePageCRM account (and change your password in any other place or app where you have used the same password).
  • If you are an iOS mobile app user, please uninstall and reinstall the app.
  • If you have 3rd party applications connected to OnePageCRM, please visit our information page on reconnecting 3rd party integrations.

As with usual best practice, you should:

  • Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

 

Frequently Asked Questions

 

How does this impact me?

Any accounts created prior to November 24th 2018 should take this notice seriously and follow the necessary steps as outlined above or sent to you via email.

 

Should I change my OnePageCRM password?

Yes, you should change your OnePageCRM password (and change your password in any other place or app where you have used the same password).

 

How do I change my password?

To change your password, login to your OnePageCRM account > go to the Gear icon > Users and Billing > Users > Click on your profile – Change password. Read more here.

 

Has this ever happened before?

No, this has never happened before. OnePageCRM has been in operation since 2010 and takes security very seriously. We are reviewing our internal protocols and procedures for test and development servers to prevent any future incidents. You can visit our Security and Privacy Policy.

 

Is my data now secure in OnePageCRM?

Yes, we can assure you your data is secure. It’s important to note that our live database was not exposed and remains secure. The incident occurred on a test server. Your data is stored on industry-leading Amazon data centres protected by physical barriers and guarded 24/7. See more about our security here.

 

Can I trust OnePageCRM with my data going forward?

Yes, and we will continue to work with you to rebuild the trust you placed in us.

Over the past 9 years, we have worked hard to protect your data security and build your trust. Regrettably, this incident was caused by human error and is hugely disappointing. We sincerely regret any distress or inconvenience this may cause to you and your business.

We are reviewing our internal protocols and procedures for test and development servers to prevent any future incidents.

 

What to do if you’re a Data Controller

Users who are controllers of personal data affected by this incident should immediately undertake their own due diligence to investigate this incident and to assess the risk it may present to you, your users or other contacts. You may be required to report this incident to the Data Protection Commission or the equivalent supervisory authority in your country. In Ireland, there is usually a 72-hour window from the date you become aware of such an incident to notify the Data Protection Commission.

We are happy to cooperate and answer any further queries you may have in relation to this incident.

 

Who can I contact if I have additional questions?

We understand this is a difficult situation, if you have any questions please email support@onepagecrm.com and we will strive to respond as soon as possible.

 

External References