Vistaprint, a global e-commerce seller of promotional products and printed marketing materials owned by Top 40 distributor Cimpress (asi/162149), has left a customer service database unprotected.

More than 51,000 customer service interactions, including calls, chats and emails, were unveiled, TechCrunch reported. However, there were no passwords or financial data in the exposed database.

First detected by search engine Shodan on Nov. 5, Vistaprint’s database may have been exposed before then. Security researcher Oliver Hough discovered the unencrypted database last week, tweeting the Massachusetts-based company about the security lapse, but never hearing back. Vistaprint quietly took the database offline after TechCrunch reached out.

Hey @Vistaprint do you have a bug bounty program? or a security contact I can talk to. Got something here that your security team will want to look at ASAP

my DM's are open

— Oliver Hough (@olihough86) November 21, 2019

so @Vistaprint have still not bothered to make contact. Database is still online

— Oliver Hough (@olihough86) November 23, 2019

yo @Cimpress you own Vistaprint now right? can you hook me up with a security contact? Got a database they need to take down ASAP

— Oliver Hough (@olihough86) November 23, 2019

Just in case anyone was wondering what my cryptic tweets to @vistaprint and @Cimpress were all about. https://t.co/8yKTzxkhHQ

— Oliver Hough (@olihough86) November 25, 2019

The database contained five tables stored with data, TechCrunch reported. One table named “cases” contained incoming customer queries, including the customer’s name, email address, phone number and the date and time of their interaction with customer service. Each customer service interaction appeared to have graded the customer’s query based off keywords picked from the query. That helped to determine the customer’s “sentiment,” which then described the complaint as either “negative” or “neutral.” The data also included the “priority” of a customer’s interaction, allowing it to be pushed higher in the queue. Many of those customer service interactions were as recent as mid-September.

Another table named “chat” contained thousands of customers’ line-by-line online chat interactions with support agents. Additionally, the table contained information about the customer’s browser and network connection, where they were located, what operating system they used and their internet provider. Some of the recorded chat logs also contained order numbers and postal tracking numbers.

The “emails” table contained entire email threads with customers detailing problems with their orders or other issues. The “phone” table contained specific information about each call, including the date and time, how long the customer was kept on hold, a written transcript of the call and an internal link to the recording of the call. The data also contained some account information, including work email addresses and some phone numbers belonging to Vistaprint customer service staff.

According to Hough, the database was not currently sending or receiving data. The database was named “migration,” suggesting the database was used to temporarily store data while it was moving customer records from one server to another. However, there was no password on the database, allowing anyone to access the data inside.

Robert Crosland, a spokesperson for Vistaprint, said that the exposure affected customers in the United States, the United Kingdom and Ireland. “This is unacceptable and should not have happened under any circumstances,” Crosland told TechCrunch. “We’re currently carrying out a full investigation to understand what happened and how to prevent any future recurrence. At this time, we do not know whether this data has been accessed beyond the security researcher who found it.”

Vistaprint told TechCrunch it will inform customers of the exposure – many of whom are shielded via General Data Protection Regulation (GDPR), implemented by the European Union in 2018. The legislation unifies data privacy laws across the continent and extends the scope of the regulation to all foreign companies processing data of EU residents. If companies don’t adhere to the regulation, they face a maximum fine of €20 million or 4% of their annual global revenue.