A bank has left more than one million audio recordings of phone calls seemingly made by bank employees exposed to the open internet, letting anyone listen in on sensitive conversations, including ones with potential customers.
The unusual data exposure comes shortly after financial giant Capital One announced its own data breach of records of more than 100 million people.
Bank of Cardiff, based in San Diego, California, provides loans for small and large businesses, as well as loans for buying business equipment such as treadmills for gyms, construction equipment for contractors, and kitchen equipment for restaurants, according to its website. An independent security researcher pointed Motherboard to an exposed Amazon S3 bucket—a method for storing data—that appears to contain data relating to Bank of Cardiff.
“I still need it,” one person tells a Bank of Cardiff employee in a phone call, referring to her obtaining a loan.
Some of the phone conversations include specific, named employees reading out their direct phone numbers. Motherboard cross-referenced those numbers with online records and found they were connected to the same specific Bank of Cardiff employees.
Many of the calls appear to be Bank of Cardiff employees phoning up individuals the bank has discussed loans with, or attempting to offer them one. One call includes a potential customer discussing their plans for obtaining financing either from Bank of Cardiff or a competitor. In another, an employee contacts a company focused on industrial equipment; Motherboard identified the company because of its hold music which includes the firm’s website. The company did not respond to a request for comment. In a third call, an employee contacted a company about a business loan.
“I’m calling in regards to a business loan that the business took out with [redacted company’s name] back in 2013. [Redacted name] is the point of contact; is he the only owner?” the Bank of Cardiff employee says in the recording.
Judging by the AWS folder directory, many of the recordings date from 2015 to 2017.
Bank of Cardiff did not respond to multiple requests for comment. But when Motherboard contacted the bank on Tuesday, someone started locking down the exposed files. Many of the other audio clips are still available to download at the time of writing, however.
Subscribe to our new cybersecurity podcast, CYBER.