Teletext Holidays bosses are likely to be getting hot under the collar after the firm became the latest to potentially breach GDPR, by leaving customer call audio files unprotected online, exposing customer names, email addresses, home addresses, phone numbers and dates of birth.
The business, which is the trading name of Truly Travels, was formed out of the TV information service which was ditched by the BBC in 2012. It now offers package holidays online and completes bookings over the phone.
The exposed files – which have since been removed – date back to August 2016 and were discovered by Verdict on an unsecured Amazon Web Services server. In total, there were 532,000 files. Of those, 212,000 were audio files from Teletext customers calling its India-based call centre.
The audio files range from a few minutes to up to an hour and, based on accents, appear to involve UK customers. In recordings heard by Verdict, customers can be heard booking holidays, amending bookings, enquiring about trips and making complaints.
In conversations where a holiday is booked, customers also tell the Teletext Holidays employees partial card details. This includes the type of card, name on card and expiry date.
Instead of saying their card number and three-digit security number, customers type them into the keypad – protecting the most serious financial information – but in a small number of calls Verdict heard customers begin to say their card number out loud, before the call centre operator interjects.
The names and dates of birth of accompanying passengers, such as partners and children, can also be heard.
In a statement, a Truly Travel spokesman said: “We are in the process of reporting the matter to the Information Commissioner’s Office, and we will fully comply with our wider legal obligations. The company is taking all appropriate steps to ensure that this situation does not occur in the future.”
The ICO has yet to comment on the incident.
Related stories
Not quite so ‘Priceless’: Data leak affects Mastercard
Twitter admits GDPR breach after exploiting user data
Monzo squirms again after gaffe exposes pin numbers
Capital One admits mass attack as cocky hacker is held
Top London estate agent flayed for 2-year data breach
Leicester City FC on hiding to nothing over data breach
UK firms battered by one hack attack every 50 seconds
Over 40% of firms suffered cyber breach in past year
Top tourist attractions hit by 110m data theft attacks