Recently, there has been a data breach from a telemarketing company called CallX which sells marketing services and software to enterprise clients, allowing businesses to track the performance of their media buying and telemarketing marketing operations.
The data breach was discovered by vpnMentor’s Research team led by Noam Rotem. According to their report, Over a hundred thousand private files (including audio recordings and text chat transcriptions) were publicly accessible which compromised thousands of people’s privacy and safety.
CallX was using an unsecured Amazon Web Services S3 bucket to store audio client files. These buckets are a popular form of enterprise cloud storage but they also require users to set up their own security protocols and many companies using AWS are not aware of this.
The research team discovered CallX’s S3 bucket and was able to view it due to insufficient security. CallX was storing data from various clients all in one place and in the audio and text conversations, customers revealed vast amounts of private information including full names, phone numbers, home addresses, call back dates for phone calls, and additional personal information.
In a blog post, VpnMentor warned that with the leaked data, attackers could launch convincing phishing and fraud attacks and stated, “If cyber-criminals needed additional information, they could hijack calls logged by CallX and do fake ‘follow-up’ phone calls or emails posing as a representative of the relevant CallX client company.”
Due to the data breach, not only their customers will be affected but also CallX who will be under the jurisdiction of the state’s CCPA data privacy law. CallX’s clients may distance themselves from the company and switch to rival software providers. Both of these outcomes would be detrimental to CallX’s business and revenue in the short term and long term.
VpnMentor gave a few solutions for firstly, securing an open S3 bucket and secondly, for CallX clients. CallX could quickly fix the errors by making the bucket private and add authentication protocols, following AWS access and authentication best practices, and adding more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
On the other hand, CallX customers should contact the company directly to determine what steps are being taken to protect their customer data. They also recommended thoroughly vetting all 3rd party software solutions you integrate into your operations to ensure they follow the strictest possible data security practices.