← All field notes
CRM integrationLive e-commerce

When a CRM integration quietly exposes the wrong data

Aleksandrs · Dec 2025 · 4 min read

The most dangerous bugs don’t break systems. They quietly return the wrong data — and no one notices.

The situation

A production e-commerce system with around 2,000 active users was integrated with a CRM. Customers could log in and view their invoices. For months, everything worked.

Then the CRM changed how it handled filtering internally. The integration didn’t change — but the behaviour did. Some customers started seeing invoices that did not belong to them.

No crashes. No errors. No alerts. By the time we got involved, the issue had already been present for four weeks. From the system’s perspective, everything was fine. From a GDPR perspective, it was already an incident.

The symptom

Nothing looked broken. The portal fetched invoices from the CRM using a filtered query. The CRM returned data. The portal displayed it. Logs showed no errors.

But the data was wrong — and worse, it looked completely valid.

Investigation

The first step was not to fix anything. It was to understand the system.

The portal relied on a filtered query sent to the CRM API. For a long time, that query returned exactly what was expected. Then it didn’t.

Root cause

The CRM had changed how filtering worked internally. The same query still returned results — but those results were no longer strictly limited to the correct customer.

The integration trusted the CRM response. There was no validation layer on the portal side. The assumption was:

“The CRM will always enforce the correct constraints.”
That assumption became false.

Why this kind of bug is dangerous

Most teams expect failures to look like failures:

But integration failures often don’t behave like that. The system keeps working. Only the meaning of the data changes. In this case, incorrect invoices were shown to real customers — for weeks — without triggering a single alert. That’s far more dangerous.

The fix

The fix was not to tweak the query. It was to remove the assumption.

The fix took two days. A third day was spent verifying edge cases and testing cross-customer scenarios.

Conclusion

The issue was resolved. But more importantly, the system became predictable again.

If your system depends on external services:

Because when integrations fail silently, you don’t get an error. You get incorrect reality.

This is the breach you find out about last

Got a site that’s “working fine” — that you can’t fully vouch for?

Send us the one thing that doesn’t sit right, read-only repo access, and a sanitized dump. Within two business days you get a plain-English root cause and a fixed-price quote to fix it. The triage is €360. Miss the deadline and it’s on us.

Read-only · sanitized dump · NDA on request · we never appear to your client