CallX Exposed Voice Recordings and Text Messages of Thousands

  • A small Californian marketing firm has exposed the PII, text messages, and marketing targets' phone calls.
  • The firm has failed to properly secure its AWS S3 bucket, leaving everything accessible for an extensive period of time.
  • The regulatory and legal consequences for the company could be deleterious, even finishing.

California-based telemarketing company "CallX" has misconfigured its AWS S3 bucket for public access without a password and irreversibly exposed between ten and a hundred thousand people. The size of the exposed data is 485 GB, the number of files is 114,000, and the date ranges between 2014 and 2020.

The type of exposed information includes voice recordings, text messages, and people’s personally identifiable information (PII) such as full names, phone numbers, home addresses, etc.

Source vpnMentor

CallX was founded in 2015, and the reason why it held data dating a year before it was formed is that they’re buying these details from others. The information is then used for the promotion of services, track-based data collection for marketing operations, etc.

CallX buys advertising space on Google and Facebook on the account of its clients and then promotes their products and services to the targets. Leads are directed to phone calls with a CallX agent, and those calls are recorded and stored in an AWS bucket.

Source: vpnMentor

The data discovery came through a research by Noam Rotem and his teammates in vpnMentor, who found the database on December 24, 2020. The vendor was contacted thrice until the end of January 2021 but never responded.

Amazon was also contacted thrice during the same period, but they didn’t take any action either. Eventually, U.S. CERT (Computer Emergency Readiness Team) was informed about the leaking bucket on February 22, 2021.

Because CallX resides in California, where strict data privacy laws (CCPA) apply, the company may consider itself in great trouble right now. Besides the legal action and the fines that are sure to come soon, clients on the local market would almost definitely not want to do business with them anymore. Nobody in the area wants to risk legal trouble and having to go through investigations, so the “small” mistake of misconfiguring your server can have a detrimental impact on your business.

If you have had a phone conversation with a CallX agent, beware of fraudsters and phishing emails, or even SMS. If you are a client of the company, make sure to take action to protect your customers by sending them a notice to inform them of the breach. It is also possible that you will be involved in regulatory actions, so be prepared for that.

How to Watch Ladies of the ‘80s: A Divas Christmas Online from Anywhere
Ladies of the '80s: A Divas Christmas is a film about how five '80s soap opera divas gather to share the spotlight...
How to Watch Power Book III: Raising Kanan Season 3 from Anywhere
Power Book III: Raising Kanan Season 3 is almost here. The series airs on STARZ at 8 pm ET in the US...
How to Watch My Norwegian Holiday Online from Anywhere
My Norwegian Holiday follows a grief-stricken protagonist on a journey to Norway to unravel the secret behind a mysterious troll figurine left...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari