If you’ve ever had a voicemail seem out of nowhere, there’s a good chance Stratics Networks was involved.
The Toronto-based company is the self-proclaimed inventor of” ringless voicemails ,” its customers a route of auto-dialing a list of phone numbers and dropping voicemails without leaving a missed bellow. The system utilizes a backdoor voicemail number typically reserved by the carrier to leave a voicemail directly in a person’s mailbox. The company once claimed it was able process up to 10,000 ringless voicemails per minute — if you pay for it.
But the company left its back-end storage server open without a password, exposing thousands of outgoing and incoming recordings.
Security researcher John Wethington determined the exposed server and asked TechCrunch to contact Stratics to secure the data. The server, hosted on Amazon Web Service, contained at least 100,000 records from more than 4,000 folders, each representing a single client campaign.
According to BinaryEdge data, the exposed server was first seen on April 5, but may have been uncovered for longer.
” This data was open to anyone with a browser and necessitated no special access or privileges ,” Wethington told TechCrunch.” I genuinely hope we were the first to identify it and responsibly disclose it because if that data is in unethical or criminal hands it’s going to be abused .”
” Organizations must consider the privacy ethics and not just the regulations when offering services ,” he said.” The potential for abuse and privacy violations is every corporation and executives responsibility .”
Customers use the company’s offering to leave voicemails without needing someone to call each person — from debt collectors to doctor’s offices reminding patients about upcoming appointments. Not only does the company permit customers to record outgoing voicemails to ensure a voicemail actually fell, it also records incoming calls when someone picks up.
It was those recordings that were uncovered, said Wethington. TechCrunch reviewed several folders of recordings.
In one case, we find several districts in Florida utilized Stratics to inform citizens that their election postal ballots were set to expire. One folder contained more than 5,200 audio recordings on callers responding to voicemail drops sent by Broward County and Hillsborough County. Of the several records we heard, many sensitive datum over the phone — including their names, addresses, dates of birth and, in some cases, their voter ID numbers.
Other folders in the exposed data available dozens of incoming call records from those who had been sent a voicemail drop. One of those was a law firm, which call center employees identified as Key Tax Group. Of the calls we reviewed , none knew why the issue is left an unsolicited voicemail but were all asked by the bellow center worker if they needed help with their taxes. At no phase were the callers told that the calls were being recorded, despite laws in several states — like California and Maryland — mandating everyone on the same call agrees that the call can be recorded. Each recording had the unsuspected caller’s telephone number in the filename. When contacted by TechCrunch, several of the victims of the cold-call swindle confirmed they lived in nations with two-party laws.
And, one other company, which the bellow centre employee identified as Michigan Comfort, received more than a hundred calls as recently as this month from people who had been dropped an unsolicited voicemail. Much to the same pattern as the law firm, those callers were asked if they were interested in” a duct inspection or a furnace rebate .”
” You shouldn’t call people out of the blue and neither should your company ,” said one angry victim in a recording.
Although Stratics’ website says it” does not tolerate spam in any form ,” the company sets the onus of compliance with the customers.” You are 100% liable for conformity when building calls originating under your account ,” says its website.
Shortly after contacting the company Thursday about the data exposure, the leaking server had been secured.
“We take compliance and data security very seriously, and we are currently investigating to determine to what extent, if any, datum has been exposed to unauthorized access ,” said Chris Collins, a spokesperson for Stratics.” We have currently engaged an outside legal firm to guide us in our investigation. We are also engaging a third party cyber security firm to perform a full homeland security audit .”
TechCrunch sent Stratics several questions about spam and call record. Collins said Stratics would “block” users found in violation of its policies, and that its clients bore the responsibility to follow all local, country and federal call recording laws.
Following our revealing, the company had pulled its “discover” segment from the site. When asked, Collins said this was ” to avoid our website from being overloaded” in response to this article.
We also asked how long the data was exposed, if the company will notify customers and regulators per country data breach notification statutes or if anyone else had accessed the storage server.
Stratics declined to comment further.
Read more: feedproxy.google.com