California-based telemarketing company "CallX" has misconfigured its AWS S3 bucket for public access without a password and irreversibly exposed between ten and a hundred thousand people. The size of the exposed data is 485 GB, the number of files is 114,000, and the date ranges between 2014 and 2020.
The type of exposed information includes voice recordings, text messages, and people’s personally identifiable information (PII) such as full names, phone numbers, home addresses, etc.
CallX was founded in 2015, and the reason why it held data dating a year before it was formed is that they’re buying these details from others. The information is then used for the promotion of services, track-based data collection for marketing operations, etc.
CallX buys advertising space on Google and Facebook on the account of its clients and then promotes their products and services to the targets. Leads are directed to phone calls with a CallX agent, and those calls are recorded and stored in an AWS bucket.
The data discovery came through a research by Noam Rotem and his teammates in vpnMentor, who found the database on December 24, 2020. The vendor was contacted thrice until the end of January 2021 but never responded.
Amazon was also contacted thrice during the same period, but they didn’t take any action either. Eventually, U.S. CERT (Computer Emergency Readiness Team) was informed about the leaking bucket on February 22, 2021.
Because CallX resides in California, where strict data privacy laws (CCPA) apply, the company may consider itself in great trouble right now. Besides the legal action and the fines that are sure to come soon, clients on the local market would almost definitely not want to do business with them anymore. Nobody in the area wants to risk legal trouble and having to go through investigations, so the “small” mistake of misconfiguring your server can have a detrimental impact on your business.
If you have had a phone conversation with a CallX agent, beware of fraudsters and phishing emails, or even SMS. If you are a client of the company, make sure to take action to protect your customers by sending them a notice to inform them of the breach. It is also possible that you will be involved in regulatory actions, so be prepared for that.