British travel company Teletext Holidays has suffered a data breach in which some 212,000 customer call audio files were left unprotected on an online server for three years, exposing customer names, email addresses, home addresses, phone numbers and dates of birth.
Truly Travels, trading as Teletext Holidays, formed out of the once-popular television information text service. It now advertises package holidays online and completes bookings over the phone. Verdict discovered the files – which have since been removed – on an unsecured Amazon Web Services server. In total, there were 532,000 files. Of those, 212,000 were audio files from Teletext customers calling its India-based call centre.
The calls took place between the 10 April 2016 and 10 August 2016. They range from a few minutes to up to an hour and, based on accents, appear to involve UK customers. In recordings heard by Verdict, customers can be heard booking holidays, amending bookings, enquiring about trips and making complaints. Details about each holiday, including flight time, location and cost, can also be heard. In conversations where a holiday is booked, customers also tell the Teletext Holidays employees partial card details. This includes the type of card, name on card and expiry date. Instead of saying their card number and three-digit security number, customers type them into the keypad – protecting the most serious financial information. In a very small number of calls, Verdict heard customers begin to say their card number out loud, before the call centre operator interjects. The names and dates of birth of accompanying passengers, such as partners and children, can also be heard. Teletext Holidays removed all 532,000 files almost immediately after Verdict notified the company. In a statement, a Truly Travel spokesperson (trading as Teletext Holidays) spokesperson said : “We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations. “The company is taking all appropriate steps to ensure that this situation does not occur in the future.”