Telemarketing Biz Exposes 114,000 in Cloud Config Error

A US telemarketing company has leaked the personal details of potentially tens of thousands of consumers after misconfiguring a cloud storage bucket, Infosecurity can reveal.

A team at vpnMentor led by Noam Rotem found the unsecured AWS S3 bucket on December 24 last year. It was traced to Californian business CallX, whose analytics services are apparently used by clients to improve their media buying and inbound marketing.

According to its website, the firm counts lending marketplace Lendingtree, Liberty Mutual Insurance and smart security vendor Vivint among its customers.

Rotem found 114,000 files left publicly accessibly in the leaky bucket. Most of these were audio recordings of phone conversations between CallX clients and their customers, which were being tracked by the firm’s marketing software. An additional 2000 transcripts of text chats were also viewable.

Personally identifiable information (PII) contained in these files included full names, home addresses, phone numbers and more.

With the leaked data, attackers could launch convincing phishing, fraud and vishing attacks, warned vpnMentor.

“If cyber-criminals needed additional information, they could hijack calls logged by CallX and do fake ‘follow-up’ phone calls or emails posing as a representative of the relevant CallX client company,” it claimed.

“Using the transcripts, it would be easy to establish trust and legitimacy with targets in such schemes. As the people exposed have no apparent relationship to one another, by the time the fraud was discovered, it may be too late.”

CallX may also be at risk of regulatory scrutiny as it’s under the jurisdiction of new Californian privacy law CCPA.

Unfortunately, the bucket remains open at the time of writing. Both Infosecurity and vpnMentor have tried to contact CallX with no response. The research team first reached out to the firm on January 3 2021 and then to AWS on January 6. The cloud provider is also believed to have contacted CallX about the leak, and the US-CERT has been informed.

Misconfiguration of cloud storage isn’t just a security issue, it can quickly become a major business risk.

“Due to the bad publicity a data breach like this can create, CallX’s clients may distance themselves from the company and switch to rival software providers,” warned vpnMentor. “Those same rivals could exploit the breach to lure CallX clients away through negative marketing campaigns.”

Leave a Reply