Teletext Holidays Exposes 212,000 Customer Call Recordings

[upnorth]

Content source

https://www.verdict.co.uk/teletext-holidays-data-breach-customer-call/

British travel company Teletext Holidays has suffered a data breach in which some 212,000 customer call audio files were left unprotected on an online server for three years, exposing customer names, email addresses, home addresses, phone numbers and dates of birth.

Truly Travels, trading as Teletext Holidays, formed out of the once-popular television information text service. It now advertises package holidays online and completes bookings over the phone. Verdict discovered the files – which have since been removed – on an unsecured Amazon Web Services server. In total, there were 532,000 files. Of those, 212,000 were audio files from Teletext customers calling its India-based call centre.

The calls took place between the 10 April 2016 and 10 August 2016. They range from a few minutes to up to an hour and, based on accents, appear to involve UK customers. In recordings heard by Verdict, customers can be heard booking holidays, amending bookings, enquiring about trips and making complaints. Details about each holiday, including flight time, location and cost, can also be heard. In conversations where a holiday is booked, customers also tell the Teletext Holidays employees partial card details. This includes the type of card, name on card and expiry date. Instead of saying their card number and three-digit security number, customers type them into the keypad – protecting the most serious financial information. In a very small number of calls, Verdict heard customers begin to say their card number out loud, before the call centre operator interjects. The names and dates of birth of accompanying passengers, such as partners and children, can also be heard. Teletext Holidays removed all 532,000 files almost immediately after Verdict notified the company. In a statement, a Truly Travel spokesperson (trading as Teletext Holidays) spokesperson said : “We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations. “The company is taking all appropriate steps to ensure that this situation does not occur in the future.”

Personal data, such as email addresses and dates of birth, can prove valuable information for online criminals. It is common for malicious hackers to sell databases containing personal data on underground forums, where it can be merged with additional personal details to create a full identity profile. Data can then be used to carry out identity fraud, phishing or targeted email attacks. Malcolm Taylor, director of cyber advisory at cybersecurity consultancy ITC Secure, described the Teletext Holidays data breach as “an intelligence feed for hackers”. “Aside from the painfully obvious ‘please don’t store unencrypted data in unencrypted data stores and be at all surprised when it leaks’, this makes the point very well that the actual medium in which data is stored is irrelevant; the fact that these were voice files makes no difference to the value of the data to hackers,”