A telemarketing firm appears to have leaked online more than 17,000 calls in which customers disclosed their credit card information to its representatives.
In total, security researchers at MacKeeper uncovered 17,649 audio recordings of telemarketing calls during which customers gave out their names, physical addresses, phone number, credit card number, CV numbers, and more. That’s more than enough information for attackers to steal someone’s identity, assume control of their credit card, and commit payment fraud.
Additionally, the research team found 375,368 “cold calls” that might also contain customers’ personal information.
So what ties all of these calls together?
They stem from VICI Marketing LLC, a Florida-based marketing company which has a particularly bad reputation when it comes to protecting customers’ information.
Back in 2009, VICI agreed to a $350,000 settlement agreement with the Florida Attorney General’s Office following a complaint that accused the marketing company of having acquired stolen customer data and not taken measures to ensure the information was obtained legally. That agreement stipulated the firm could find itself on the receiving end of a $1 million fine if it did not introduce measures to better protect customers’ and company information.
Uh oh… looks like a six-figure fee could be in VICI’s near future. It all has to do with what these leaked audio recordings contain – or rather DON’T contain.
MacKeeper elaborates on that point in a blog post:
“Some of the recordings do not warn customers that the calls are being recorded or stored. Eleven states require the consent of every party to a phone call or conversation in order to make the recording lawful. These ‘two-party consent’ laws have been adopted in California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania and Washington.”
In addition to the leaked recordings, which totals some 28 GB, former employees told MacKeeper that VICI is known to prey upon customers with scams and other suspicious activity. An employee named Justin Tyme said one scam developed by the firm ends up inflating the price of something that would cost $20 in a drug store to over $100. MacKeeper cannot verify the claims of Tyme and others at this time.
As of this writing, it appears VICI the audio recordings leaked online only as the result of a security blunder. But those calls clearly indicate the company is not honoring what it agreed as part of the 2009 settlement.
I hate to say it, but if a $350,000 fine didn’t wake up the company, maybe a $1 million fee will.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Telemarketing firm leaks 17,000 recorded calls, many containing credit card details”
Most iPBX software call center based companies have a method of recording the phone calls. Typically they're stored as raw format WAV unless there is some compression done. Those Mp3s could be ring back tones, hold music, or others. Depending on what and where these "recordings" are being held, there's the money shot.