Breach, Compliance Management, Data Security, Network Security, Privacy

Telemarketing firm leaks 400K call recordings, some containing payment data

As a result of a misconfigured database which was left open, Florida-based telemarketing firm VICI Marketing has leaked around 400,000 phone call recordings.

The calls leaked by the company, which has previously gotten in trouble for the mishandling of customer data, contain customer names, addresses, credit card numbers, expiry dates and card security codes.

While over 17,000 contained sensitive and financial details, a further 375,368 cold-calls, some also containing personal information, were also left online without adequate password protection.

The database was secured on 26 January following an investigation by researchers at MacKeeper who said they had been in touch with VICI Marketing's IT manager but he did not provide that information.

The security researchers' investigation into the breach remains ongoing, however they claim it is one of the largest they have ever come across online. The calls are as recent as January this year.

MacKeeper said it downloaded a 28GB-sized copy of the leaked database for verification purposes and that it plans to delete the information once the case is closed. This process may take weeks due to the sheer size of the data leak.

The team said it will work with law enforcement and US Homeland Security to finish the investigation.

"There is enough information in each call to provide cyber-criminals with all they need to steal the credit card information or commit a wide range of crimes," said MacKeeper's Bob Diachenko in a blog post first published on 27 January.

He added: "Improper data storage or misconfigured databases can happen to companies big and small, but for a company who has already paid a hefty price and has been the subject of regulatory violations it seems like they would take cyber-security more seriously."

Diachenko was referring to previous litigation taken against VICI Marketing, as reported by the Tampa Bay Times in 2009, when the firm agreed to pay US$350,000 to settle a case brought forward by the Florida Attorney General's Office.

Matt Bryars, co-founder and CEO at Aeriandi said: “Recording customer calls is a great way for businesses to train staff, improve their customer service and also comply with legal requirements such as the FCA Code of Conduct. However, whether for training purposes, compliance adherence or other business processes, the volume of call recordings being generated today is growing at an exponential rate. Organisations that fail to take securing this data seriously are not only risking the safety of their customers' most sensitive information, but also gambling with their own business reputation.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.