Colombian loan firm leaks thousands of customer service calls

Earlier this month, an independent security researcher caught California-based Bank of Cardiff neglecting a leak of more than 1 million audio recordings of calls by bank employees, potentially revealing sensitive customer information to anybody who accessed the online directory from their browser. Following that revelation, another security researcher caught Colombian pension loan provider Filialcoop neglecting a similar leak, of more than 54,000 recordings of its customer calls.

The number of recordings in the online directory grows larger by the day, cybersecurity research and defense company GroupSense tells The Parallax. GroupSense reported the breach in late February to Bogota-based Filialcoop and its third-party VoIP call center manager, GM Soluciones—neither of which have taken the basic security step of using HTTPS for their public-facing sites. (GM Soluciones advertises itself as having “high security standards.”)

In February, the number of leaked recordings was less than 43,000. Since then, the directory has grown by 20 percent. The Spanish-language recordings date back to November 25, 2013, and as of publication, the most recent recordings were uploaded on Monday, August 26.

A native Spanish speaker unaffiliated with GroupSense who listened to several of the recordings confirmed to The Parallax that they contain multiple types of PII, or personally identifiable information, variably including customer names, home addresses, email addresses, financial information, credit card numbers, national identification card numbers, and phone numbers.

“In the U.S., we’re really starting to pay attention to these breaches. But outside the U.S., it’s still the Wild West, and there’s no infrastructure to protect individuals.”—Kurtis Minder, CEO, GroupSense

Kurtis Minder, CEO and co-founder of GroupSense, says he sees PII skims of leaked call center recordings as a growing threat to consumers online.

“Right now, there’s somebody on the phone in Colombia being recorded, and that recording is going to show up in the directory,” Minder says. “In the U.S., we’re really starting to pay attention to these breaches. But outside the U.S., it’s still the Wild West, and there’s no infrastructure to protect individuals.”

Leaked audio and video recordings pose a challenging risk to organizations that routinely gather and record customers’ personal information during customer service interactions “to ensure quality.” And while customer service call center recordings are typically more difficult to access and parse than a typical purloined database on the Dark Web, their conversational and confidential nature tends to lead to a wider or deeper scope of PII.

Minder says many of the breaches GroupSense encounters (and has noted on its blog) are the result of poorly configured security settings. Fix the settings, he says, and the leaked folder becomes invisible to the Internet at large. Ignore the settings, however, and the problem gets worse.

“Leaked PII leads to account takeovers,” he says. Leaked call recordings make it easier to take over accounts because they can directly tie the caller’s non-financial PII to account numbers, Minder says. For example, he warns, malicious hackers “might know the answer to your secret questions to get access to your account.”

While it isn’t clear how many hackers or hacking groups have accessed information from the Filialcoop calls, or used it to either hack into accounts or create fake accounts, Minder says recordings are in the hands of at least one known group of Russia-affiliated, hacking-for-hire cybercriminals, the Kelvin Security Team, which leaked the data on at least one online forum known as an outlet for cybercriminals and scammers to exchange and sell information.

The Parallax has independently confirmed that the cybercriminal group has a reputation for stealing data from countries in North and South America, and Europe, often dumping the stolen data on online forums. A GroupSense report on the Kelvin Security Team’s Pastebin account, a common Internet location that hackers use for posting stolen data, says the account has been viewed more than 99,000 times, and the Pastebin posts viewed more than 303,000 times.

Emails and call logs that Minder shared with The Parallax show that multiple attempts by GroupSense to contact Filialcoop and GM Soluciones went unanswered. Emails and calls from The Parallax to the companies were not returned.

Part of the challenge organizations face in securing consumer data is in becoming fully aware of what they’ve been collecting in the first place, says Dimitri Sirota, CEO and founder of data protection and privacy security company BigID. He describes many corporations as having a “patchwork quilt” approach to securing their customer data, not just across mainframes or databases, but across different data storage and management services, such as Cassandra and Hadoop.

“You have one group building software, one group upgrading it. There are all kinds of different systems, different authentications,” he says. “Even the chain of custody of the data is not always obvious.”

Absent regulation, Sirota and Minder agree that organizations need to focus on implementing commonly touted best security practices. Apply software patches regularly and in a timely manner; standardize access control to Internet-connected databases; create an efficient way for security researchers to properly report previously unknown vulnerabilities and leaks; and establish a chain of command to verify and fix those vulnerabilities.

In the case of a breach like Filialcoop’s, they say, an organization also needs to examine access logs, investigate who has gained access to leaked files and, most importantly, notify affected customers in a timely manner.

All organizations that handle PII should actively monitor their databases for these types of data leaks, Minder says, remaining keenly aware that for the want of a proper config, their customers could be lost.