[BreachExchange] Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket

Destry Winant destry at riskbasedsecurity.com
Tue Sep 3 09:56:56 EDT 2019


Teletext Holidays managed to leave more than 200,000 customer phone
call recordings exposed on an unsecured AWS server, according to

A total of 532,000 files were exposed on AWS servers belonging to
Truly Travel, the company that trades as Teletext Holidays, of which
212,000 were recordings of live news.

Verdict, the news site that first reported the breach, said the calls
were recorded between April and August 2016. They involved Britons
ringing up Teletext Holidays to make bookings, change them, complain
and do all the other things people do when they phone a company with
which they have a booked service.

"In conversations where a holiday is booked, customers also tell the
Teletext Holidays employees partial card details. This includes the
type of card, name on card and expiry date," reported the site.

While basic security measures were implemented, in that customers were
told to input card numbers using the handset, the unique audio tones
generated by pressing keypad buttons would make it straightforward to
recover the 16-digit number and expiry date.

In a statement, Truly Travel said: "We are in the process of reporting
the matter to the ICO, and we will fully comply with our wider legal
obligations. The company is taking all appropriate steps to ensure
that this situation does not occur in the future."

Malcolm Taylor, director of cyber advisory services at threat intel
firm ITC Secure, opined that customer details being contained in audio
files didn't lessen the severity of the data breach or lower Teletext
Holidays' culpability.

"Aside from the painfully obvious 'please don't store unencrypted data
in unencrypted data stores and be at all surprised when it leaks',
this makes the point very well that the actual medium in which data is
stored is irrelevant," said Taylor. "The fact that these were voice
files makes no difference to the value of the data to hackers. It all
has a dollar value and is saleable online, and will be for sale

Insecure AWS buckets are meant to be things of the past. While the
tech world and his dog regularly bellows "secure your damn buckets" at
the industry, Amazon itself has been making slow but steady pace on
introducing dashboard alerts for admins charged with overseeing S3
buckets – something it first did in 2017.

Regardless, many companies still leave their S3 buckets unsecured and
popular tools such as Shodan are still being used to identify them
even now; to the point where Magecart malware purveyors find open
buckets and then introduce payment-card-data-stealing nasties to them.

More information about the BreachExchange mailing list