U.K. travel company Truly Travels Ltd., better known as Teletext Holidays, has exposed the records of over 500,000 customer transactions on a misconfigured Amazon Web Services Inc. S3 storage instance, including some 212,000 audio records of customer calls.

Uncovered by Verdict, the voice recordings are said to have taken place between April and August 2016 and range from a few minutes to up to an hour. “Details about each holiday, including flight time, location and cost, can also be heard,” the Verdict claims.

Fortunately, the calls mostly do not include financial information, since customers are required to type their details into a keypad, but in a small number of cases customers do read their credit card numbers out loud. Names and dates of birth were also included in some of the recordings.

In a statement, Truly Travel said “we are in the process of reporting the matter to the [Information Commissioner’s Office] and we will fully comply with our wider legal obligations. The company is taking all appropriate steps to ensure that this situation does not occur in the future.”

Teletext was a video text system that worked over analog television signals with supported television sets from the late 1970s through the mid-1990s, although in some countries it was still around into the early 2000s. As The Register noted, it’s surprising that the company still exists in 2019.

An S3 data breach may be the least of its problems, however. On its blog page, it shares customer reviews that are universally negative.

“Aside from the painfully obvious ‘please don’t store unencrypted data in unencrypted data stores and be at all surprised when it leaks,’ this makes the point very well that the actual medium in which data is stored is irrelevant,” Malcolm Taylor, director of cyber advisory services at threat intelligence firm ITC Secure Ltd., told The Register. “The fact that these were voice files makes no difference to the value of the data to hackers. It all has a dollar value and is salable online, and will be for sale already.”

The list of companies exposing their data via misconfigured AWS S3 instance is so long that it would require a standalone article to detail them all. A small sample includes Accenture PLC, U.S. Army Intelligence and Security Command, Verizon Communications Inc., TigerSwan, FedEx Corp., Octoly, True Corp. and Veeam Software Inc.

Image: BBC/Wikimedia Commons