[BreachExchange] Robocall Legal Advocate Leaks Customer Data

[Destry Winant]

https://securityboulevard.com/2020/08/robocall-legal-advocate-leaks-customer-data/

A California company that helps telemarketing firms avoid getting sued
for violating a federal law that seeks to curb robocalls has leaked
the phone numbers, email addresses and passwords of all its customers,
as well as the mobile phone numbers and other data on people who have
hired lawyers to go after telemarketers.

The Blacklist Alliance provides technologies and services to marketing
firms concerned about lawsuits under the Telephone Consumer Protection
Act (TCPA), a 1991 law that restricts the making of telemarketing
calls through the use of automatic telephone dialing systems and
artificial or prerecorded voice messages. The TCPA prohibits contact
with consumers — even via text messages — unless the company has
“prior express consent” to contact the consumer.

With statutory damages of $500 to $1,500 per call, the TCPA has
prompted a flood of lawsuits over the years. From the telemarketer’s
perspective, the TCPA can present something of a legal minefield in
certain situations, such as when a phone number belonging to someone
who’d previously given consent gets reassigned to another subscriber.

Enter The Blacklist Alliance, which promises to help marketers avoid
TCPA legal snares set by “professional plaintiffs and class action
attorneys seeking to cash in on the TCPA.” According to the Blacklist,
one of the “dirty tricks” used by TCPA “frequent filers” includes
“phone flipping,” or registering multiple prepaid cell phone numbers
to receive calls intended for the person to whom a number was
previously registered.

Lawyers representing TCPA claimants typically redact their clients’
personal information from legal filings to protect them from
retaliation and to keep their contact information private. The
Blacklist Alliance researches TCPA cases to uncover the phone numbers
of plaintiffs and sells this data in the form of list-scrubbing
services to telemarketers.

“TCPA predators operate like malware,” The Blacklist explains on its
website. “Our Litigation Firewall isolates the infection and protects
you from harm. Scrub against active plaintiffs, pre litigation
complainers, active attorneys, attorney associates, and more. Use our
robust API to seamlessly scrub these high-risk numbers from your
outbound campaigns and inbound calls, or adjust your suppression
settings to fit your individual requirements and appetite for risk.”

Unfortunately for the Blacklist paying customers and for people
represented by attorneys filing TCPA lawsuits, the Blacklist’s own Web
site until late last week leaked reams of data to anyone with a Web
browser. Thousands of documents, emails, spreadsheets, images and the
names tied to countless mobile phone numbers all could be viewed or
downloaded without authentication from the domain theblacklist.click.

The directory also included all 388 Blacklist customer API keys, as
well as each customer’s phone number, employer, username and password
(scrambled with the relatively weak MD5 password hashing algorithm).

The leaked Blacklist customer database points to various companies you
might expect to see using automated calling systems to generate
business, including real estate and life insurance providers, credit
repair companies and a long list of online advertising firms and
individual digital marketing specialists.

The very first account in the leaked Blacklist user database
corresponds to its CEO Seth Heyman, an attorney in southern
California. Mr. Heyman did not respond to multiple requests for
comment, although The Blacklist stopped leaking its database not long
after that contact request.

Two other accounts marked as administrators were among the third and
sixth registered users in the database; those correspond to two
individuals at Riip Digital, a California-based email marketing
concern that serves a diverse range of clients in the lead generation
business, from debt relief and timeshare companies, to real estate
firms and CBD vendors.

Riip Digital did not respond to requests for comment. But According to
Spamhaus, an anti-spam group relied upon by many Internet service
providers (ISPs) to block unsolicited junk email, the company has a
storied history of so-called “snowshoe spamming,” which involves junk
email purveyors who try to avoid spam filters and blacklists by
spreading their spam-sending systems across a broad swath of domains
and Internet addresses.

The irony of this data leak is that marketers who constantly scrape
the Web for consumer contact data may not realize the source of the
information, and end up feeding it into automated systems that peddle
dubious wares and services via automated phone calls and text
messages. To the extent this data is used to generate sales leads that
are then sold to others, such a leak could end up causing more legal
problems for The Blacklist’s customers.

The Blacklist and their clients talk a lot about technologies that
they say separate automated telephonic communications from
dime-a-dozen robocalls, such as software that delivers recorded
statements that are manually selected by a live agent. But for your
average person, this is likely a distinction without a difference.

Robocalls are permitted for political candidates, but beyond that if
the recording is a sales message and you haven’t given your written
permission to get calls from the company on the other end, the call is
illegal. According to the Federal Trade Commission (FTC), companies
are using auto-dialers to send out thousands of phone calls every
minute for an incredibly low cost.

In fiscal year 2019, the FTC received 3.78 million complaints about
robocalls. Readers may be able to avoid some marketing calls by
registering their mobile number with the Do Not Call registry, but the
list appears to do little to deter all automated calls — particularly
scam calls that spoof their real number. If and when you do receive
robocalls, consider reporting them to the FTC.

Some wireless providers now offer additional services and features to
help block automated calls. For example, AT&T offers wireless
customers its free Call Protect app, which screens incoming calls and
flags those that are likely spam calls. See the FCC’s robocall
resource page for links to resources at your mobile provider. In
addition, there are a number of third-party mobile apps designed to
block spammy calls, such as Nomorobo and TrueCaller.

Obviously, not all telemarketing is spammy or scammy. I have friends
and relatives who’ve worked at non-profits that rely a great deal on
fundraising over the phone. Nevertheless, readers who are fed up with
telemarketing calls may find some catharsis in the Jolly Roger
Telephone Company, which offers subscribers a choice of automated bots
that keep telemarketers engaged for several minutes. The service lets
subscribers choose which callers should get the bot treatment, and
then records the result.

For my part, the volume of automated calls hitting my mobile number
got so bad that I recently enabled a setting on my smart phone to
simply send to voicemail all calls from numbers that aren’t already in
my contacts list. This may not be a solution for everyone, but since
then I haven’t received a single spammy jingle.