Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data

Comparitech security researcher Bob Diachenko has discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers.

The exposed Elasticsearch cluster was discovered on October 1, 2020, the day the database cluster was indexed by the search engine. The Elasticsearch cluster was found to contain 10 collections of data, the largest of which consisted of 275 million records and included information such as caller names, phone numbers, and caller locations, along with other sensitive data. One database in the cluster was found to contain transcribed voicemail messages which included a range of sensitive data such as information about financial loans and medical prescriptions. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed.

The voicemails included caller names, phone numbers, voicemail box identifiers, internal identifiers, and the transcripts included personal information such as full names, phone numbers, dates of birth, and other data. Voicemails left at medical clinics including details of prescriptions and medical procedures. Information about loan inquiries were also exposed, along with some insurance policy numbers.

Diachenko reported the exposed Elasticsearch cluster to Broadvoice, which took prompt action to prevent any unauthorized access. According to Broadvoice CEO Jim Murphy, “We learned that on October 1st, a security researcher was able to access a subset of b-hive data. The data had been stored in an inadvertently unsecured storage service Sept. 28th and was secured Oct. 2nd.” Diachenko confirmed on October 4, 2020 that the Elasticsearch cluster had been secured.

“At this point, we have no reason to believe that there has been any misuse of the data. We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time,” said Murphy.

Broadvoice reported the breach to law enforcement and is investigating the breach. It is currently unclear if anyone other than Diachenko found and accessed the databases.

While most of the databases contained only limited information, it would be of value to cybercriminals who could easily target customers of Broadvoice in phishing scams. The information in the database could be used to convince customers that they were in contact with Broadvoice, and they could be fooled into revealing further sensitive information or making fraudulent payments.

Individuals whose information was detailed in the voicemail transcripts would be most at risk, as the additional data could be used to create convincing and persuasive phishing campaigns.

Comparitech researchers have previously demonstrated individuals are constantly scanning for exposed databases and that they are often discovered within hours of them being exposed. Their research showed that attempts were made to access their Elasticsearch honeypot within 9 hours of the data being exposed. Once databases are indexed by search engines such as Shodan and BinaryEdge attacks occur within a matter of minutes.

Comparitech researchers scan the internet to identify exposed data and report breaches to the owners of the databases. “In order to help raise awareness of data exposures in general and inform affected parties of this particular incident, we publish a report,” explained Comparitech. “Our aim is to have the data secured and all relevant parties informed as quickly as possible to minimize the potential damage caused.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.