Civicom, a company situated in New York City that offers audio, web conferencing, and market research services, was discovered to be revealing a goldmine of personal and sensitive data to its customers. According to its LinkedIn page, the company provides “the best audio and web conferencing services on the planet, webinar services, global marketing research services, leading transcription/CRM entry service, general transcription service, online jury trials, and more.”
It’s worth mentioning that Civicom has offices in the United States, Philippines, and the UK, with hundreds of employees. This also reflects the company’s massive client base and potentially disastrous effects of such widespread data disclosure to the public. Worse, the S3 bucket was left open publicly with no password or security verification, allowing anybody knowing how to discover damaged databases to access the data. The Website Planet security team, which found the database, revealed that Civicom exposed 8 gigabytes of records comprising more than 100,000 files.
This was due to one of Civicom’s misconfigured Amazon S3 buckets. However, due to the database’s massive size, experts were unable to physically scan each file. Despite this, their investigation discovered that the exposed information contained tens of thousands of hours of audio and video recordings revealing private conversations, as well as written transcripts from the company’s clients. In addition, the issue revealed personally identifiable information (PII) such as workers’ complete names and photographs.
The Website Planet security team stated in a blog post that the AWS S3 bucket has been active since 2018. On October 28th, 2021, the researchers discovered the vulnerability and notified Civicom of the situation on October 30th, 2021. After three months, Civicom reacted to Website Planet and secured the bucket on January 26th, 2022. Nonetheless, the good news is that the bucket is not accessible to the general public.
It’s yet unknown if the database was accessed by a malevolent third party, such as ransomware gangs or threat actors. However, it would be disastrous for Civicom, its staff, and clients if this was to happen. Threat actors might potentially exploit the leaked recordings to steal trade secrets and other sensitive data from the company’s customers. Furthermore, a rival may pay a lot of money for the data during this COVID-19 epidemic. If you’re a Civicom customer, now is the time to call the company and ask about the event.