More than 400,000 audio files associated with a Florida company’s telemarketing efforts were stored online in the clear, and were discovered earlier this month by researchers at MacKeeper. More than 17,600 of those audio recordings were customer transactions that included names, addresses, and credit card and CVV information of those called.
The discovery was made by the MacKeeper Security Research Center, which said it found 28GB of recordings stored on a server belonging to Vici Marketing.
“The server did not have any security such as SSL or password protection,” said Bob Dyachenko, chief communication officer at MacKeeper.
Vici Marketing did not return requests for comments for this story.
“There is enough information in each call to provide cyber criminals with all they need to steal the credit card information or commit a wide range of crimes,” wrote MacKeeper researchers in a blog post.
MacKeeper said the audio files were from approximately four separate companies that were each owned by Vici Marketing. One of those companies, identified by MacKeeper, denied any association with Vici Marketing when asked by Threatpost.
Dyachenko said that MacKeeper discovered the database of audio files on Jan. 17 and contacted Vici Marketing last Monday to notify it of the insecure data. He said the company has since secured the server in question.
“Data was discovered during our routine security audit of IoT devices a week before last on an IP address that contained clear references to VICI Marketing as being the owner. No authentication was set at all, anybody with internet connection could have accessed the data,” Dyachenko said.
In 2009, Vici Marketing paid a $350,000 fine to the Florida Attorney General’s Office in connection with an allegations that it acquired stolen consumer data and failed to properly vet the data to make sure it was acquired legitimately, according to a Tampa Bay Times report. None of the discovered audio files were part of the 2009 incident.
According to researchers, the audio files all appeared to originate from a Vici Marketing-owned company over the past several years. “One of the folders seemed to be updated in real time with new cold calls every day,” Dyachenko said.
“Improper data storage or misconfigured databases can happen to companies big and small, but for a company who has already paid a hefty price and has been the subject of regulatory violations it seems like they would take cyber security more seriously,” MacKeeper wrote.
Dyachenko said it’s unclear how long the data may have been publicly exposed. He said MacKeeper has been in contact with the Florida Attorney General’s Office regarding the found data. The Florida AG’s office did not return requests for comment for this report.