Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

OnepageCRM Data Breach

by Adam Brogden
in Blog

21-Jan-2019 09:46

We use OnePageCRM as out in-house CRM platform and have been informed about a data breach on their site. We use OnePageCRM to track prospects and new opportunities with our customers. We have reviewed their breach report and can confirm that there is very little risk to you however we thought you should know. Under GDPR breach regulations we are a data controller and customer details stored on this system are our data subjects. We have assessed the level of risk and potential impact on our data subjects and have determined that there is no reason to report this incident as a data breach.

If you use OnepageCRM you should read the email from OnepageCRM below.

We will update you if this situation changes.

Email from OnePageCRM

What Happened?

On Tuesday (Jan 15th), at 2:30pm GMT, we became aware that a backup copy of our application's database wasn’t fully secured on a test server. This test server was setup on Jan 7th, 2019 by our engineer specifically to run tests for an upcoming database migration, and regrettably, a human error caused the issue.

Although the incident was contained and ended within minutes from the time we became aware of it, an analysis of our data logs shows that there had been a very limited number of external connections made to this server.

This was not a malicious incident and we have no reason to believe that your data has been misused by any third party.

It's important to point out that our live database was not exposed and remains secure.

Over the past 9 years, we have worked hard to protect your data security and build your trust. This incident is hugely disappointing for us and we sincerely regret any distress or inconvenience this may cause to you and your business.

What Information Was Involved?

The exposed database was from a backup copy (dated 24th Nov 2018), and the information included;

  • User’s name, email address, telephone number

  • Organisation details and organisation addresses

  • Contact records within an account stored by users

  • Integration API keys

No credit card details were exposed or compromised.

What We Are Doing

When we became aware of the possibility of external access, we immediately shut down the test server and took steps to determine the scope of the issue. We are also now consulting with external experts and advisors and as a controller of personal data, we will be reporting this incident to the Data Protection Commission in Ireland.

We have taken the following steps to best protect you, our users:

  • We have reset all users API keys, which are used to connect your account to various 3rd parties and our iOS and Android mobile applications.

  • We’ve forced-logged out all our OnePageCRM desktop and mobile users. On relaunching your mobile app, you will be asked to re-enter your password. This will then use the new API key.

  • We have revoked 3rd party integrations with OnePageCRM to force disconnect integrations with OnePageCRM.

  • While we have run detailed penetration tests on our servers by security professionals (most recently in July 2018) this issue was a human error. Consequently, we are reviewing our internal protocols and procedures for test and development servers to prevent any future incidents.

What You Should Do

We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information.

We recommend you:

  • Change your password for your OnePageCRM account (and change your password in any other place or app where you have used the same password).

  • If you are an iOS mobile app user, please uninstall and reinstall the app.

  • If you have 3rd party applications connected to OnePageCRM, please visit our information page on reconnecting 3rd party integrations.
  • As with usual best practice, you should:

    Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data. Avoid clicking on links or downloading attachments from suspicious emails.

    Under EU GDPR rules, if you are a Controller of Personal Data, you have additional obligations, more information, click here.

    For More Information

    For FAQs please go here, or email us on Additionally, visit our Privacy Policy and Security Page.


    Michael FitzGerald