Package Holiday firm Truly Travels exposed over 200,000 customer phone call recordings and data files on a publicly accessible server.
Over 530,000 data files were discovered in an unsecured Amazon Web Services server. Of these files 212,000 were audio files that held recordings of Teletext customers who had contacted the firms India-based call centre.
The stored audio files contained customer calls to the data centre that occurred between the April and August of 2016. The calls appear to be from UK customers and vary in length from minutes up to an hour. The recorded conversations are predominately related to the booking of a holiday or customer complaints, some contain partial credit card details.
Truly Travels, which trades as Teletext Holidays, was created back when television information text services were frequently used for information queries. The company now advertises package holidays that are booked via a phone or online. The three digit CVC number is input via the keypad so it is not recorded in the calls.
The discovered audio files were stored in a repository named ‘speechanalytics.’ Verdict who discovered the files also noted that they found 9,000 VTT files. Web Video Text Track files or VTT is a popular file format used to add captions to audio files.
In a statement to Verdict, who first broke the breach, a Truly Travel spokesperson commented that: “We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations. The company is taking all appropriate steps to ensure that this situation does not occur in the future.”
Misconfigured Server Caused Teletext Data Breach
Misconfigured cloud services continues to be a major problem for companies using cloud services as companies using infrastructure and platform as a service offerings from IT firms have left themselves vulnerable as to an average misconfigured 14 instances.
This is according to cyber security firm McAfee who in its Cloud Adoption and Risk Report found that enterprises are still leaving services in misconfigured states, despite recent high-profile breaches due to misconfigured cloud storage.
The report found that over 20 percent of all files stored in the cloud contain sensitive data, while the amount of files with sensitive data shared in the cloud has increased by 53 percent year-on-year.
McAfee have found that over 5 percent of all AWS S3 storage buckets are set to a ‘world read’ permissions configuration.
Stuart Reed, VP of Cyber Security at Nominet commenting on the Teletext data breach stated that: ”Teletext is an example of why companies should not become complacent with their use of the cloud. Cloud services are is not secure by default, and privacy settings on cloud storage services have to be configured to protect the sensitive data they hold. In this case, Teletext have put the names, email addresses, home addresses, phone numbers and dates of birth of more than 200,000 customers at risk.”
“All of these details are considered to be Personally Identifiable Information (PII) under GDPR and placing the calls in the cloud does not mean the data it is no longer the organisation’s responsibility. Companies have exactly the same responsibility to secure data in the cloud as they do with the data they hold on premise.”