SECURITY
SECURITY
SECURITY
UK travel company exposes customer calls on misconfigured cloud storage
U.K. travel company Truly Travels Ltd., better known as Teletext Holidays, has exposed the records of over 500,000 customer transactions on a misconfigured Amazon Web Services Inc. S3 storage instance, including some 212,000 audio records of customer calls.
Uncovered by Verdict, the voice recordings are said to have taken place between April and August 2016 and range from a few minutes to up to an hour. “Details about each holiday, including flight time, location and cost, can also be heard,” the Verdict claims.
Fortunately, the calls mostly do not include financial information, since customers are required to type their details into a keypad, but in a small number of cases customers do read their credit card numbers out loud. Names and dates of birth were also included in some of the recordings.
In a statement, Truly Travel said “we are in the process of reporting the matter to the [Information Commissioner’s Office] and we will fully comply with our wider legal obligations. The company is taking all appropriate steps to ensure that this situation does not occur in the future.”
Teletext was a video text system that worked over analog television signals with supported television sets from the late 1970s through the mid-1990s, although in some countries it was still around into the early 2000s. As The Register noted, it’s surprising that the company still exists in 2019.
An S3 data breach may be the least of its problems, however. On its blog page, it shares customer reviews that are universally negative.
“Aside from the painfully obvious ‘please don’t store unencrypted data in unencrypted data stores and be at all surprised when it leaks,’ this makes the point very well that the actual medium in which data is stored is irrelevant,” Malcolm Taylor, director of cyber advisory services at threat intelligence firm ITC Secure Ltd., told The Register. “The fact that these were voice files makes no difference to the value of the data to hackers. It all has a dollar value and is salable online, and will be for sale already.”
The list of companies exposing their data via misconfigured AWS S3 instance is so long that it would require a standalone article to detail them all. A small sample includes Accenture PLC, U.S. Army Intelligence and Security Command, Verizon Communications Inc., TigerSwan, FedEx Corp., Octoly, True Corp. and Veeam Software Inc.
Image: BBC/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
