A massive data breach of at least one telemarketing firm has exposed thousands of recorded telephone conversations in which customers provided sensitive information, including their credit card details.
Earlier this month, security researchers discovered several hundred thousand recorded phone conversations in an unsecured database online. The calls originate from a server named “VICIMARKETING.”
It is unclear from the recordings whether the audio files belong to VICI Marketing, LLC, a Largo-area telemarketing service, or another firm. As many as 375,000 recorded calls appear to be unsolicited “cold calls” to U.S. residents, a portion of which contain at least some personally identifiable information. More than 17,000 recordings, however, are believed to contain sensitive details about telemarketing customers, including names, billing addresses, and credit card numbers, along with card expiration dates and three-digit card security codes (CVV)—everything an identity thief would need to rack up fraudulent bank charges online.
The data breach, which was secured as of Thursday, was first discovered during a routine security audit by the MacKeeper Security Research Center, a subsidiary of the international IT firm Kromtech Alliance. Due to the vast amount of data leaked, it may take several weeks to fully evaluate the impact of the breach, a researcher said. (Kromtech says it plans to destroy the leaked data once its damage assessment is complete.)
Kromtech has in the past worked closely with law enforcement and the U.S. Department of Homeland Security in cases where leaked data became part of a criminal investigation. One thing is clear, the IT firm said: “There is enough information in each call to provide cyber criminals with all they need to steal the credit card information or commit a wide range of crimes.”
Jeremiah Fowler of the MacKeeper research team warns that companies must take “every precaution” to secure their customers' financial information. “It does not matter if they are spreadsheets, scanned images, or in this case nearly 400,000 audio recordings,” he said. In one of the audio recordings played for experts, a customer service representative can be heard identifying himself as an employee of Quality Resources, a customer acquisition firm based in Clearwater, Florida. (Quality Resource and VICI Marketing have employed several of the same people, according to LinkedIn.)
At the top of the call, the rep is heard warning a customer that, “For quality control, this call may be recorded.” The customer is then prompted to confirm personal information about himself, including, twice, complete credit card information. In 2008, experts reported that VICI Marketing agreed to pay $350,000 to settle a complaint by the Florida Attorney General's office, which accused the company of obtaining stolen data on U.S. consumers. The company was also fined the previous year for employing unlicensed telemarketers, including some who had felony convictions for fraud and identity theft.
The Tampa Bay newspaper further reported that VICI Marketing claimed to have halted consumer telemarketing operations in December 2007, to focus instead on business-to-business sales. VICI Marketing could not be reached for comment. A phone number on its website no longer appears to reach the company, and the only email address—designated for hiring purposes—did not immediately respond to a request for comment. Calls to Quality Resource returned only a busy signal.