If you’ve ever had a voicemail appear out of nowhere, there’s a good chance Stratics Networks was involved.
The Toronto-based company is the self-proclaimed inventor of “ringless voicemails,” providing its customers a way of auto-dialing a list of phone numbers and dropping voicemails without leaving a missed call. The system uses a backdoor voicemail number typically reserved by the carrier to leave a voicemail directly in a person’s mailbox. The company once claimed it can process up to 10,000 ringless voicemails per minute — if you pay for it.
But the company left its back-end storage server open without a password, exposing thousands of outgoing and incoming recordings.
Security researcher John Wethington found the exposed server and asked TechCrunch to contact Stratics to secure the data. The server, hosted on Amazon Web Services, contained at least 100,000 recordings from more than 4,000 folders, each representing a single customer campaign.
According to BinaryEdge data, the exposed server was first detected on April 5, but may have been exposed for longer.
“This data was open to anyone with a browser and required no special access or privileges,” Wethington told TechCrunch. “I genuinely hope we were the first to identify it and responsibly disclose it because if that data is in unethical or criminal hands it’s going to be abused.”
“Organizations must consider the privacy ethics and not just the regulations when offering services,” he said. “The potential for abuse and privacy violations is every corporation and executives responsibility.”
Customers use the company’s offering to leave voicemails without needing someone to call each person — from debt collectors to doctor’s offices reminding patients about upcoming appointments. Not only does the company allow customers to record outgoing voicemails to ensure a voicemail actually dropped, it also records incoming calls when someone picks up.
It was those recordings that were exposed, said Wethington. TechCrunch reviewed several folders of recordings.
In one case, we found several counties in Florida used Stratics to inform citizens that their election postal ballots are set to expire. One folder contained more than 5,200 audio recordings on callers responding to voicemail drops sent by Broward County and Hillsborough County. Of the several recordings we heard, many provided sensitive information over the phone — including their names, addresses, dates of birth and, in some cases, their voter ID numbers.
Other folders in the exposed data contained dozens of incoming call recordings from those who had been sent …read more