If it were in the UK you could report them to the data protection regulator; the ICO.  The ICO could then threaten them with enforcement action unless they addressed the vulnerability.

> litwin (Newcomer I) posted a new topic in Welcome on 07-04-2019 06:06 PM

> I discovered a data leakage vulnerability on a website that
> leaking PII of their customers. I reported this to their service desk and one of
> the owners of the company. I was told to remove them from any future emails
> otherwise I would be reported for Spamming. I contacted them again clarifying
> that they had a data leakage problem and screenshot the example on their
> website. I said I am freely sharing this information with them and wanted to
> communicate with someone that can fix the problem.   Nothing by crickets, with
> them still leaking this data.

OK, be really careful. These guys obviously don't care about anything so much as their "brand." You are now the threat, as they perceive it. And, unfortunately, they can make lots of trouble for you.

>   It's not a big company but they are leaking
> about 3000 of their customers PII and some internal confidential information. If
> someone dug deeper into the unsecured API I am sure they would find even more
> data.   What would be your next step?

You might want to talk to some of the security research outfits, who know how to do this. If pursuing it yourself, get some legal help first. (EFF might be a good place to start.)

Even though it goes against the grain, and you are only trying to help others, it may be that your best course is simply to walk away.

If not, having tried to alert the company and been rebuffed (I'd keep all correspondence on that score) you might simply write up the problem and publish it. But, even that could get you into legal trouble if they decide to sue ...

(All of this assumes that you reside in the Litigious States of America.)