If you’ve ever had a voicemail appear out of nowhere, there’s a good chance Stratics Networks was involved.
The Toronto-based company is the self-proclaimed inventor of “ringless voicemails,” providing its customers a way of auto-dialing a list of phone numbers and dropping voicemails without leaving a missed call. The system uses a backdoor voicemail number typically reserved by the carrier to leave a voicemail directly in a person’s mailbox. The company once claimed it can process up to 10,000 ringless voicemails per minute — if you pay for it.
But the company left its back-end storage server open without a password, exposing thousands of outgoing and incoming recordings.
Security researcher John Wethington found the exposed server and asked TechCrunch to contact Stratics to secure the data. The server, hosted on Amazon Web Services, contained at least 100,000 recordings from more than 4,000 folders, each representing a single customer campaign.
According to BinaryEdge data, the exposed server was first detected on April 5, but may have been exposed for longer.
“This data was open to anyone with a browser and required no special access or privileges,” Wethington told TechCrunch. “I genuinely hope we were the first to identify it and responsibly disclose it because if that data is in unethical or criminal hands it’s going to be abused.”
“Organizations must consider the privacy ethics and not just the regulations when offering services,” he said. “The potential for abuse and privacy violations is every corporation and executives responsibility.”
Customers use the company’s offering to leave voicemails without needing someone to call each person — from debt collectors to doctor’s offices reminding patients about upcoming appointments. Not only does the company allow customers to record outgoing voicemails to ensure a voicemail actually dropped, it also records incoming calls when someone picks up.
It was those recordings that were exposed, said Wethington. TechCrunch reviewed several folders of recordings.
In one case, we found several counties in Florida used Stratics to inform citizens that their election postal ballots are set to expire. One folder contained more than 5,200 audio recordings on callers responding to voicemail drops sent by Broward County and Hillsborough County. Of the several recordings we heard, many provided sensitive information over the phone — including their names, addresses, dates of birth and, in some cases, their voter ID numbers.
Other folders in the exposed data contained dozens of incoming call recordings from those who had been sent a voicemail drop. One of those was a law firm, which call center workers identified as Key Tax Group. Of the calls we reviewed, none knew why they were left an unsolicited voicemail but were all asked by the call center worker if they needed help with their taxes. At no point were the callers told that the calls were being recorded, despite call recording laws in several states — like California and Maryland — mandating everyone on the same call agrees that the call can be recorded. Each recording had the unsuspected caller’s phone number in the filename. When contacted by TechCrunch, several of the victims of the cold-call scam confirmed they lived in states with two-party laws.
And, one other company, which the call center worker identified as Michigan Comfort, received more than a hundred calls as recently as this month from people who had been dropped an unsolicited voicemail. Much to the same pattern as the law firm, those callers were asked if they were interested in “a duct inspection or a furnace rebate.”
“You shouldn’t call people out of the blue and neither should your company,” said one angry victim in a recording.
Although Stratics’ website says it “does not tolerate spam in any form,” the company puts the onus of compliance with the customers. “You are 100% liable for compliance when making calls originating under your account,” says its website.
Shortly after contacting the company Thursday about the data exposure, the leaking server had been secured.
“We take compliance and data security very seriously, and we are currently investigating to determine to what extent, if any, information has been exposed to unauthorized access,” said Chris Collins, a spokesperson for Stratics. “We have currently engaged an outside legal firm to guide us in our investigation. We are also engaging a third party cyber security firm to perform a full internal security audit.”
TechCrunch sent Stratics several questions about spam and call recording. Collins said Stratics would “block” users found in violation of its policies, and that its customers bore the responsibility to follow all local, state and federal call recording laws.
Following our disclosure, the company had pulled its “discover” section from the site. When asked, Collins said this was “to avoid our website from being overloaded” in response to this article.
We also asked how long the data was exposed, if the company will notify customers and regulators per state data breach notification laws or if anyone else had accessed the storage server.
Stratics declined to comment further.