Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket
Get your grandparents to book with someone else
Teletext Holidays managed to leave more than 200,000 customer phone call recordings exposed on an unsecured AWS server, according to reports.
A total of 532,000 files were exposed on AWS servers belonging to Truly Travel, the company that trades as Teletext Holidays, of which 212,000 were recordings of live news.
Verdict, the news site that first reported the breach, said the calls were recorded between April and August 2016. They involved Britons ringing up Teletext Holidays to make bookings, change them, complain and do all the other things people do when they phone a company with which they have a booked service.
"In conversations where a holiday is booked, customers also tell the Teletext Holidays employees partial card details. This includes the type of card, name on card and expiry date," reported the site.
While basic security measures were implemented, in that customers were told to input card numbers using the handset, the unique audio tones generated by pressing keypad buttons would make it straightforward to recover the 16-digit number and expiry date.
In a statement, Truly Travel said: "We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations. The company is taking all appropriate steps to ensure that this situation does not occur in the future."
Malcolm Taylor, director of cyber advisory services at threat intel firm ITC Secure, opined that customer details being contained in audio files didn't lessen the severity of the data breach or lower Teletext Holidays' culpability.
"Aside from the painfully obvious 'please don't store unencrypted data in unencrypted data stores and be at all surprised when it leaks', this makes the point very well that the actual medium in which data is stored is irrelevant," said Taylor. "The fact that these were voice files makes no difference to the value of the data to hackers. It all has a dollar value and is saleable online, and will be for sale already."
Insecure AWS buckets are meant to be things of the past. While the tech world and his dog regularly bellows "secure your damn buckets" at the industry, Amazon itself has been making slow but steady pace on introducing dashboard alerts for admins charged with overseeing S3 buckets – something it first did in 2017.
Regardless, many companies still leave their S3 buckets unsecured and popular tools such as Shodan are still being used to identify them even now; to the point where Magecart malware purveyors find open buckets and then introduce payment-card-data-stealing nasties to them. ®