Thousands of credit card details exposed as US marketing firm leaks 400,000 audio calls

Roughly 400,000 recorded customer phonecalls stored by at least one US-based telemarketing firm have been leaked online due to a misconfigured database. The company in question, called VICI Marketing LLC, has previously faced legal action over the mishandling of consumer data.

According to security researchers from the MacKeeper Security Research Centre, which provided IBTimes UK with a sample of the leaked audio, the compromised data included customer names, addresses, credit card numbers, expiry dates and three-digit CVV codes.

While over 17,000 contained sensitive and financial details, a further 375,368 "cold calls", some also containing personal information, were also left online without adequate password protection. Luckily, the leaky database was secured on 26 January (Thursday).

It is unknown how long the database was left online and publicly exposed. MacKeeper researchers told IBTimes UK it had been in touch with VICI Marketing's IT manager but he did not provide that information. The calls, meanwhile, are as recent as January this year.

The security researchers' investigation into the breach remains ongoing, however they claim it is one of the largest they have ever come across online. Now, the team said it will work with law enforcement and the US Homeland Security to finish the probe.

MacKeeper said it downloaded a 28GB-sized copy of the leaked database for verification purposes and that it plans to delete the information once the case is closed. This process may take weeks due to the sheer size of the data leak.

In one of the calls shared with IBTimes UK, an operator is heard telling a caller in November 2015 their conversation is being recorded. The caller then confirms a slew of personal information, including her home address and full credit card number.

In many of the recordings, callers appear to be confirming product or sales orders. However, it should be noted it is often difficult to confirm if every call is linked to VICI Marketing as the operators are not always heard metioning the company's name. The MacKeeper researchers said VICI Marketing may be an umbrella firm that operates a number of smaller entities.

"There is enough information in each call to provide cybercriminals with all they need to steal the credit card information or commit a wide range of crimes," said MacKeeper's Bob Diachenko in a blog post first published on 27 January.

He added: "Improper data storage or misconfigured databases can happen to companies big and small, but for a company who has already paid a hefty price and has been the subject of regulatory violations it seems like they would take cybersecurity more seriously."

Diachenko was referring to previous litigation taken against VICI Marketing, as reported by the Tampa Bay Times in 2009, when the firm agreed to pay $350,000 to settle a case brought forward by the Florida Attorney General's Office.

The Tampa Bay Times also reported the firm had actually halted its telemarketing activities on 30 December 2017 to focus on "business-to-business sales". The firm has not yet issued any comments regarding the significant leak of customer calls.

It was alleged the company had "obtained stolen consumer information and did not take proper steps to ensure data was acquired legitimately". VICI Marketing did not admit guilt, but agreed to be more careful with customer data in future.