CallX Exposed Voice Recordings and Text Messages of Thousands

  • A small Californian marketing firm has exposed the PII, text messages, and marketing targets’ phone calls.
  • The firm has failed to properly secure its AWS S3 bucket, leaving everything accessible for an extensive period of time.
  • The regulatory and legal consequences for the company could be deleterious, even finishing.

California-based telemarketing company “CallX” has misconfigured its AWS S3 bucket for public access without a password and irreversibly exposed between ten and a hundred thousand people. The size of the exposed data is 485 GB, the number of files is 114,000, and the date ranges between 2014 and 2020.

The type of exposed information includes voice recordings, text messages, and people’s personally identifiable information (PII) such as full names, phone numbers, home addresses, etc.

Source vpnMentor

CallX was founded in 2015, and the reason why it held data dating a year before it was formed is that they’re buying these details from others. The information is then used for the promotion of services, track-based data collection for marketing operations, etc.

CallX buys advertising space on Google and Facebook on the account of its clients and then promotes their products and services to the targets. Leads are directed to phone calls with a CallX agent, and those calls are recorded and stored in an AWS bucket.

Source: vpnMentor

The data discovery came through a research by Noam Rotem and his teammates in vpnMentor, who found the database on December 24, 2020. The vendor was contacted thrice until the end of January 2021 but never responded.

Amazon was also contacted thrice during the same period, but they didn’t take any action either. Eventually, U.S. CERT (Computer Emergency Readiness Team) was informed about the leaking bucket on February 22, 2021.

Because CallX resides in California, where strict data privacy laws (CCPA) apply, the company may consider itself in great trouble right now. Besides the legal action and the fines that are sure to come soon, clients on the local market would almost definitely not want to do business with them anymore. Nobody in the area wants to risk legal trouble and having to go through investigations, so the “small” mistake of misconfiguring your server can have a detrimental impact on your business.

If you have had a phone conversation with a CallX agent, beware of fraudsters and phishing emails, or even SMS. If you are a client of the company, make sure to take action to protect your customers by sending them a notice to inform them of the breach. It is also possible that you will be involved in regulatory actions, so be prepared for that.

REVIEW OVERVIEW

Latest

How to Watch Thursday Night Football Without Cable in 2021: Schedule, Time, TV Channel, Live Stream

The 2021 NFL season is kicking off, and the excitement is kicking in for American football fans all over the world. The...

HBO Leaves Prime Video as WarnerMedia Ends Deal With Amazon

Amazon and WarnerMedia end their collaboration that had HBO on Prime Video.Existing users will now have to use the HBO Max app...

How Phishing Actors Impersonated the U.S. Department of Transportation

A recent phishing campaign deployed some common but highly effective tricks to steal Microsoft account credentials.The actors impersonated the U.S. Department of...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari