vpnMentor security team found the unsecured AWS S3 bucket belonging to a US telemarketing company. The exposed server contained personal details of potentially tens of thousands of consumers that were for the taking due to a misconfiguration of a cloud storage bucket.
The vulnerable server was discovered by vpnMentor on December 24 last year. It was traced to CallX, a Californian-based company offering analytics and marketing services.
According to CallX’s website, among its customers are lending marketplace Lendingtree, Liberty Mutual Insurance, Vivint, and more.
Noam Rotem of vnpMentor found 114,000 files were publicly accessible in the leaky cloud. The bulk of the files were audio recordings of phone conversations between CallX clients and their customers. The recordings were made by the firm’s marketing software. About 2,000 text chat transcripts were exposed as well.
These files, the researcher found, included such personally identifiable information (PII) as full names, home addresses, phone numbers, and more.
Attackers can download the data from such an exposed server and use it to launch phishing and vishing attacks, or use it in credential stuffing campaigns, warned vpnMentor.
Or they could phish out more information from victims once they got their phone numbers.
“If cyber-criminals needed additional information, they could hijack calls logged by CallX and do fake ‘follow-up’ phone calls or emails posing as a representative of the relevant CallX client company,” vpnMentor claimed in an interview with Infosecurity.
It’s not hard to imagine that using the transcripts, the attackers could easily establish trust and with victims in such schemes. “As the people exposed have no apparent relationship to one another, by the time the fraud was discovered, it may be too late,” the VPN provider explained.
At the time of writing, the server bucket remains exposed.
Both Infosecurity and vpnMentor contacted CallX to no avail. They also informed the US-CERT.
Misconfiguration of cloud storage isn’t just a security issue, it presents a major business risk, as its customers reading posts like this one may start looking for other providers.
“Due to the bad publicity a data breach like this can create, CallX’s clients may distance themselves from the company and switch to rival software providers,” warned vpnMentor.
In addition, by not securing the data, CallX is running a risk of regulatory scrutiny as it’s under the jurisdiction of the new Californian privacy law CCPA.