It has been reported that British travel company Teletext Holidays has suffered a data breach in which some 212,000 customer call audio files were left unprotected on an online server for three years, exposing customer names, email addresses, home addresses, phone numbers and dates of birth. Verdict discovered the files – which have since been removed – on an unsecured Amazon Web Services server. The calls took place between the 10 April 2016 and 10 August 2016. They range from a few minutes to up to an hour and, based on accents, appear to involve UK customers.
The news that Teletext Holidays left the recorded telephone calls of over 200,000 customers exposed online for over three years provides yet another example of the security issues that misconfiguration of the cloud can cause for businesses.
To make matters even worse, some of the stored calls also had accompanying transcripts, making life even easier for criminals searching for the personal details required to carry out fraud.
With the proliferation of organisations using cloud services like AWS, those responsible for locking down data need to understand the risks, and tools available to mitigate them. The fact that this has been left exposed online for three years demonstrates the lack of visibility Truly Travel had over their cloud infrastructure, something inexcusable when there are comprehensive solutions available to monitor and control cloud use.
The use of cloud services such as Amazon Web Services have become ubiquitous in recent years, and organisations – such as Teletext Holidays – are much more comfortable trusting sensitive data to the cloud. In fact, our own research has found that 61 percent of security professionals believe the risk of a security breach is the same or lower in cloud environments compared to on-premise.
However, Teletext is an example of why companies should not become complacent with their use of the cloud. Cloud services are is not secure by default, and privacy settings on cloud storage services have to be configured to protect the sensitive data they hold. In this case, Teletext have put the names, email addresses, home addresses, phone numbers and dates of birth of more than 200,000 customers at risk. All of these details are considered to be Personally Identifiable Information (PII) under GDPR and placing the calls in the cloud does not mean the data it is no longer the organisation\’s responsibility. Companies have exactly the same responsibility to secure data in the cloud as they do with the data they hold on premise.
Aside from the painfully obvious “please don’t store unencrypted data in unencrypted data stores and be at all surprised when it leaks”, this makes the point very well that the actual medium in which data is stored is irrelevant; the fact that these were voice files makes no difference to the value of the data to hackers. It all has a dollar value and is saleable online (and will be for sale already). It is also a treasure trove for anyone who wants to build more sophisticated and damaging attacks – it’s an intelligence feed for hackers; this simple leak could spawn many more and worse.
Nor should we be complacent that extracting data from audio files is somehow difficult; it isn’t. It might be slightly more time consuming but that is all. Ironically, this may affect Teletext themselves more than the hackers; to begin making contact with their affected clients they will have to find their own way of extracting the details – and they will probably find that more difficult than do the attackers. 532,000 records is not the biggest of leaks but that will be of no comfort to those individuals affected; this is a not insignificant breach. It will be very interesting to see how the ICO respond.
A final point which this incident highlights is, again, the importance of 3rd party security; however good a company’s security is, vulnerabilities within suppliers and vendors remain highly significant. That someone else has your data does not remove your accountability for it; it just changes (and expands) the footprint which needs to be considered within a security strategy.
Data breaches involving personally Identifiable Information (PII) provide cybercriminals with a treasure trove of information that could be used to carry out identity fraud, phishing or targeted email attacks. The lack of cyber hygiene demonstrated here tells us a lot about current cyber security culture and organisations need to make sure that any sensitive data is stored on secure servers.