CallX Exposed Voice Recordings and Text Messages of Thousands

  • A small Californian marketing firm has exposed the PII, text messages, and marketing targets’ phone calls.
  • The firm has failed to properly secure its AWS S3 bucket, leaving everything accessible for an extensive period of time.
  • The regulatory and legal consequences for the company could be deleterious, even finishing.

California-based telemarketing company “CallX” has misconfigured its AWS S3 bucket for public access without a password and irreversibly exposed between ten and a hundred thousand people. The size of the exposed data is 485 GB, the number of files is 114,000, and the date ranges between 2014 and 2020.

The type of exposed information includes voice recordings, text messages, and people’s personally identifiable information (PII) such as full names, phone numbers, home addresses, etc.

Source vpnMentor

CallX was founded in 2015, and the reason why it held data dating a year before it was formed is that they’re buying these details from others. The information is then used for the promotion of services, track-based data collection for marketing operations, etc.

CallX buys advertising space on Google and Facebook on the account of its clients and then promotes their products and services to the targets. Leads are directed to phone calls with a CallX agent, and those calls are recorded and stored in an AWS bucket.

Source: vpnMentor

The data discovery came through a research by Noam Rotem and his teammates in vpnMentor, who found the database on December 24, 2020. The vendor was contacted thrice until the end of January 2021 but never responded.

Amazon was also contacted thrice during the same period, but they didn’t take any action either. Eventually, U.S. CERT (Computer Emergency Readiness Team) was informed about the leaking bucket on February 22, 2021.

Because CallX resides in California, where strict data privacy laws (CCPA) apply, the company may consider itself in great trouble right now. Besides the legal action and the fines that are sure to come soon, clients on the local market would almost definitely not want to do business with them anymore. Nobody in the area wants to risk legal trouble and having to go through investigations, so the “small” mistake of misconfiguring your server can have a detrimental impact on your business.

If you have had a phone conversation with a CallX agent, beware of fraudsters and phishing emails, or even SMS. If you are a client of the company, make sure to take action to protect your customers by sending them a notice to inform them of the breach. It is also possible that you will be involved in regulatory actions, so be prepared for that.



How to Watch Formula 1 Without Cable in 2021: Live Stream F1 Grand Prix Anywhere!

The 2021 Formula 1 World Championship is nearly underway, and we're excited to see the big names on the circuit once more,...

How to watch NFL Draft 2021 Without Cable: Date, Time, Schedule, Pick Order, Location, Mock Drafts

The 2021 NFL Draft is almost upon us, and soon the top prospects in the world of football will know where they...

How to Watch NHL 2021 Without Cable – Live Stream Hockey Online from Anywhere

The 2021 NHL season is here, and it ongoing after getting a dodgy start. The 104th season of the National Hockey League...