Governance & Risk Management , Incident & Breach Response , IT Risk Management
Consumer Data Exposed in Telemarketing Adviser Breach
Leak Exposed Phone Numbers of Those Upset About Automated Marketing CallsA California-based organization that helps telemarketing companies avoid lawsuits for unsolicited calls exposed some of its internal files to the internet. Ironically, the breach exposed the phone numbers of those who’ve filed complaints about unsolicited telemarketing.
See Also: Gartner Market Guide for DFIR Retainer Services
The breach has also exposed data on thousands of U.S. consumers who expressed interest about health insurance, home mortgage refinancing and small business loans.
The telemarketing legal advisory organization, Blacklist Alliance, acknowledged the data exposure and resolved it after being contacted by Information Security Media Group, which was alerted to the leak by an anonymous source.
The data exposed includes names, addresses, phone numbers, email addresses and IP addresses. It also includes legal documents, many of which are public, but also one Drug Enforcement Administration subpoena and one FBI subpoena.
Blacklist Alliance CEO Seth Heyman says he has retained a privacy and data breach specialist to figure out the company’s obligations under California’s mandatory data breach reporting law.
One source of the exposure of unencrypted data apparently was a web server directory that was left open to the internet, which would have allowed someone to browse some of the organization’s files. Heyman says the Blacklist Alliance is investigating other possible causes of the breach and plans to notify all of its clients.
“We intend to examine every avenue, including third-party service providers with whom we work and pursue any legal action available to us,” Heyman says.
Number ‘Scrubbing’
The Blacklist Alliance works to help protect marketing companies from lawsuits related to the Telephone Consumer Protection Act of 1991. The TCPA bans marketing calls to phone numbers that have been listed on the Federal Trade Commission’s National Do Not Call Registry or without express consent from the recipient.
TCPA litigation is vigorous. In 2014, Capital One and three collection agencies reached a record $75 million settlement in a case that revolved around whether the companies violated the TCPA by using auto-dialing programs to call consumers without their consent. The settlement ended a pending class action suit.
The Blacklist Alliance says on its website that TCPA lawsuits have “become a multi-million dollar litigation industry, in which attorneys and professional plaintiffs reap enormous profits by forcing well-meaning companies to pay outrageous settlements or risk a crippling judgment.”
The Blacklist Alliance collects data on litigants from public sources, such as court filings. Although plaintiffs sometimes have their phone number redacted in the lawsuits, the Blacklist Alliance researches those individuals' phone numbers and then adds them to the lists of phone numbers that should not be called.
It then offers a “scrubbing” service: The organization’s clients can upload their marketing or lead-generation lists, and the Blacklist Alliance scrubs the phone numbers that – if called – might attract a TCPA lawsuit. The service is essentially like an extra compliance check for telemarketers.
Ironically, the breach exposed the phone numbers of people who have filed complaints about unwanted telemarketing calls and alleged violations of the TCPA.
Blacklist Alliance’s clients also feed complaint letters over unsolicited calls back to the company, many of which appear among the breached data. Sometimes letters are from individuals, and others are from lawyers alleging a violation of the TCPA. Some seek up-front settlements to stop a lawsuit.
Heyman acknowledges that telemarketing and automated dialing is a contentious area. But he says that his company isn’t involved “with rogue robo-diallers who make life miserable for everybody. It’s just the opposite. We’re actually trying to keep people from doing that [making unsolicited calls].”
The exposed data also contains a list of the Blacklist Alliance’s user accounts for its member companies. That includes names, email addresses, hashes of passwords and plain-text API keys. Heyman says the data is part of a new user interface under development and the Blacklist Alliance has since strengthened its access controls.
Blacklist Alliance clients include SelectQuote, an insurance company; Fluent Inc., which specializes in customer acquisition; and another marketing company, Digital Media Solutions. None of those companies responded to a request for comment.
Data Exposed
Screenshots of exposed data shared with ISMG show the type of customer lists that have been uploaded by Blacklist Alliance members and indicate the number of rows in a particular .CSV file, some of which are fairly large. One spreadsheet seen by ISMG consisted of 8,800 U.S. consumers. The data includes names, email addresses, phone numbers, physical addresses, an estimated value of the person’s home and loan-to-value ratio, their mortgage interest rate, FICO credit rating and IP addresses.
Each record has a lead generation number. It appears the data was collected online by an entity related to home loan refinancing. Timestamps show most of the data was collected this year.
Another exposed document appeared to be a customer relationship management list related to merchant cash, or short-term loans made to businesses. It listed names, business names, email addresses, phone numbers, the amount of loan the company was seeking and gross sales figures.
Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned data breach notification service, says there are some serious questions to be asked about why personal information was provided to the Blacklist Alliance.
“Your personal information can end up in places you’ve never even heard of,” Hunt says. “We’ve lost control of our personal information.”