The setup
A CRM admin was tired of the junk test leads the sales engineering team left behind every time they ran a product demo — "Test Testerson," "test@test.com," dozens of them, cluttering every list view. The fix seemed obvious: a nightly scheduled rule that deleted any lead where the email address or company name contained the string "test," case-insensitive, no confirmation step, no logging beyond a row count. It was tested once, against a spreadsheet of five sample leads that were all, deliberately, obviously fake. It worked. It shipped. The schedule was turned on, and everyone went to lunch.
The collapse
The rule ran every night for eleven weeks before anyone noticed a pattern. The casualties included real, paying clients: "Testudo Systems," "Protestant Charities Coalition," "Contest Media Group," and — the case the admin still brings up unprompted — a genuine prospective client whose company was named "Attestor Logistics." Every one of these accounts quietly vanished from the CRM at 2am, along with every note, every logged call, and every attached deal, with no warning and no recovery path, because the deletion was hard, not a soft-delete with a trash bin.
Sales reps spent weeks assuming specific clients had gone cold and stopped responding, when in fact those clients had kept emailing a rep whose CRM had no record they had ever existed. One rep sent an increasingly apologetic string of "just checking in" emails to a contact at Attestor Logistics, unaware the CRM had erased that contact three separate times across three separate nights, each time re-created fresh by an inbound-email sync and re-deleted the following 2am like clockwork.
The autopsy
Root causes on record
- A substring match on a live word is not a safe filter. "Test" appears in company names as often as it appears in junk data — the rule couldn't tell the difference because it never tried to.
- Tested against five fake records, not representative data. A quick sanity check on obvious junk didn't surface the real-world collision with legitimate company names.
- No soft delete, no recovery window. A destructive nightly rule with no staging step and no undo turned a bad filter into permanent data loss.
- No logging of what was deleted. Even after the pattern was suspected, there was no audit trail to quickly confirm which records the rule had actually removed over eleven weeks.
- Nobody reviewed a rule that touched every record in the database nightly. A blast radius that large shipped with the same casualness as a personal report tweak.
Recommendation pending
Editor's note: this slot will point to a data-quality/hygiene tool built around safe, reversible cleanup — soft deletes, audit trails, and dry-run previews before anything destructive runs.
What the post-mortem actually changed
The nightly rule is gone. In its place: a weekly review queue that flags likely-junk leads for a human to confirm before anything is removed, and every deletion — bulk or single — now goes to a 30-day soft-delete bin first. The admin still isn't sure how many other companies with "test," "contest," or "protest" in the name got caught over eleven weeks. Nobody kept a log. That was, in fact, the whole problem.