Robocaller firm Stratics Network exposed Millions of Call Recordings

Robocaller firm Stratics Network exposed Millions of Call Recordings

.

If you’ve ever had a voicemail appear out of nowhere, there’s a good chance Stratics Networks was involved.

The Toronto-based company is the self-proclaimed inventor of “ringless voicemails,” providing its customers a way of auto-dialing a list of phone numbers and dropping voicemails without leaving a missed call. The system uses a backdoor voicemail number typically reserved by the carrier to leave a voicemail directly in a person’s mailbox. The company once claimed it can process up to 10,000 ringless voicemails per minute — if you pay for it.

But the company left its back-end storage server open without a password, exposing thousands of outgoing and incoming recordings.

Security researcher John Wethington found the exposed server and asked TechCrunch to contact Stratics to secure the data. The server, hosted on Amazon Web Services, contained at least 100,000 recordings from more than 4,000 folders, each representing a single customer campaign.

According to BinaryEdge data, the exposed server was first detected on April 5, but may have been exposed for longer.

“This data was open to anyone with a browser and required no special access or privileges,” Wethington told TechCrunch. “I genuinely hope we were the first to identify it and responsibly disclose it because if that data is in unethical or criminal hands it’s going to be abused.”

“Organizations must consider the privacy ethics and not just the regulations when offering services,” he said. “The potential for abuse and privacy violations is every corporation and executives responsibility.”

Customers use the company’s offering to leave voicemails without needing someone to call each person — from debt collectors to doctor’s offices reminding patients about upcoming appointments. Not only does the company allow customers to record outgoing voicemails to ensure a voicemail actually dropped, it also records incoming calls when someone picks up.

It was those recordings that were exposed, said Wethington. TechCrunch reviewed several folders of recordings.

In one case, we found several counties in Florida used Stratics to inform citizens that their election postal ballots were set to expire. One folder contained more than 5,200 audio recordings on callers responding to voicemail drops sent by Broward County and Hillsborough County. Of the several recordings we heard, many provided sensitive information over the phone — including their names, addresses, dates of birth and, in some cases, their voter ID numbers.

Other folders in the exposed data contained dozens of incoming call recordings from those who had been sent a voicemail drop. One of those was a law firm, which call center workers identified as Key Tax Group. Of the calls we reviewed, none knew why they were left an unsolicited voicemail but were all asked by the call center worker if they needed help with their taxes. At no point were the callers told that the calls were being recorded, despite laws in several states — like California and Maryland — mandating everyone on the same call agrees that the call can be recorded. Each recording had the unsuspected caller’s phone number in the filename. When contacted by TechCrunch, several of the victims of the cold-call scam confirmed they lived in states with two-party laws.

And, one other company, which the call center worker identified as Michigan Comfort, received more than a hundred calls as recently as this month from people who had been dropped an unsolicited voicemail. Much to the same pattern as the law firm, those callers were asked if they were interested in “a duct inspection or a furnace rebate.”

“You shouldn’t call people out of the blue and neither should your company,” said one angry victim in a recording.

Although Stratics’ website says it “does not tolerate spam in any form,” the company puts the onus of compliance with the customers. “You are 100% liable for compliance when making calls originating under your account,” says its website.

Shortly after contacting the company Thursday about the data exposure, the leaking server had been secured.

“We take compliance and data security very seriously, and we are currently investigating to determine to what extent, if any, information has been exposed to unauthorized access,” said Chris Collins, a spokesperson for Stratics. “We have currently engaged an outside legal firm to guide us in our investigation. We are also engaging a third party cyber security firm to perform a full internal security audit.”

TechCrunch sent Stratics several questions about spam and call recording. Collins said Stratics would “block” users found in violation of its policies, and that its customers bore the responsibility to follow all local, state and federal call recording laws.

Following our disclosure, the company had pulled its “discover” section from the site. When asked, Collins said this was “to avoid our website from being overloaded” in response to this article.

We also asked how long the data was exposed, if the company will notify customers and regulators per state data breach notification laws or if anyone else had accessed the storage server.

Stratics declined to comment further.

*********

(TLB) published this article from TechCrunch with our appreciation for the information and availability. 

Related article from TC

How to stop robocalls spamming your phone

No matter what your politics, beliefs, or even your sports team, we can all agree on one thing: robocalls are the scourge of modern times. These unsolicited auto-dialed spam calls bug you dozens of times a week — sometimes more — demanding you “pay the IRS” or pretend to be “Apple technical support.” Even the … Continue reading

••••

The Liberty Beacon Project is now expanding at a near exponential rate, and for this we are grateful and excited! But we must also be practical. For 7 years we have not asked for any donations, and have built this project with our own funds as we grew. We are now experiencing ever increasing growing pains due to the large number of websites and projects we represent. So we have just installed donation buttons on our websites and ask that you consider this when you visit them. Nothing is too small. We thank you for all your support and your considerations … (TLB)

••••

Comment Policy: As a privately owned web site, we reserve the right to remove comments that contain spam, advertising, vulgarity, threats of violence, racism, or personal/abusive attacks on other users. This also applies to trolling, the use of more than one alias, or just intentional mischief. Enforcement of this policy is at the discretion of this websites administrators. Repeat offenders may be blocked or permanently banned without prior warning.

••••

Disclaimer: The Liberty Beacon contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to our readers under the provisions of “fair use” in an effort to advance a better understanding of political, health, economic and social issues. The material on this site is distributed without profit to those who have expressed a prior interest in receiving it for research and educational purposes. If you wish to use copyrighted material for purposes other than “fair use” you must request permission from the copyright owner.

••••

Follow TLB on Twitter @thetlbproject

Be the first to comment

Leave a Reply

Your email address will not be published.


*