Broadvoice, a well-known VoIP provider that serves small- and medium-sized businesses, has leaked more than 350 million customer records related to the company’s “b-hive” cloud-based communications suite.
The data includes hundreds of thousands of voicemail transcripts, many involving sensitive information such as details about medical prescriptions and financial loans.
Broadvoice provides one of the more popular business platforms for communications, which includes voice, contact-center technology, remote-workforce help, Salesforce.com integration, unified communications, SIP trunking and more. Much of this is offered via b-hive, which it hosts on behalf of customers such as doctors’ offices, law firms, retail stores, community organizations and more.
Because its technology underpins these customers’ basic interactions with patients, clients, partners, suppliers and others, plenty of personal data flows through Broadvoice’s cloud-based systems. And that data is apparently retained by the company, so that its business clients can access it if needed, for analytics and call-center quality control, among other things.
Unfortunately, according to researchers at Comparitech, Broadvoice left an Elasticsearch database cluster containing such information open to the internet, accessible to anyone, with no authentication required. The cache of data included records with personal details of Broadvoice clients’ customers, they noted.
The largest collection (275 million records) included full caller name, caller ID, phone number, and city and state. Meanwhile, a collection entitled “people-production” contained account ID numbers for Broadvoice’s own customers, which allowed researchers to cross-reference entries with records in other collections.
