Telemarketing Company Leaks 400K of Sensitive FilesBack to blog
Controversial Telemarketing Company Leaks Hundreds of Thousands of Sensitive Files Online. Potentially MacKeeper Security Research Center’s Biggest Discovery to Date.
Researchers from the MacKeeper Security Research Center have made one of the biggest discoveries to date with several hundred thousand files publically available. The files belong to a controversial Florida based marketing company VICI Marketing LLC and include thousands of audio recordings where customers give their names, addresses, phone number, credit card numbers, CV numbers and more. In 2009 VICI Marketing LLC agreed to pay $350,000 to settle a complaint by the Florida Attorney General's Office that the firm obtained stolen consumer information and did not take proper steps to ensure data was acquired legitimately. Researchers have confirmed that despite the fine and penalties they have still not secured customer or company data and there is a date range of recordings going back several years. Under the agreement: If the terms of the injunction are violated, Vici could be subject to a $1 million civil penalty.
There is enough information in each call to provide cyber criminals with all they need to steal the credit card information or commit a wide range of crimes. Some of the recordings do not warn customers that the calls are being recorded or stored. Eleven states require the consent of every party to a phone call or conversation in order to make the recording lawful. These "two-party consent" laws have been adopted in California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania and Washington.
Improper data storage or misconfigured databases can happen to companies big and small, but for a company who has already paid a hefty price and has been the subject of regulatory violations it seems like they would take cyber security more seriously. In the 2009 case where they were accused of obtaining stolen consumer information VICI's lawyer, Robby Birnbaum claimed "We don't have proof of that". Under the terms of the 2009 settlement Vici is permanently prohibited from acquiring or using data without due diligence, using data of unlawful or questionable origin, accessing and using data for consumer telemarketing without background due diligence, and unlawful telemarketing. The files that The MacKeeper Security Researchers have discovered contains hundreds of thousands of records and could take several weeks to go through them all and It is unclear if the sensitive data is being sold or acquired by 3rd parties. Researchers have downloaded a 28 GB copy of the backup for verification purposes and will securely delete the publically available documents once the case is closed. MacKeeper works closely with law enforcement and US Homeland Security in cases where data becomes part of a criminal or civil investigation. There is no suspected wrongdoing at this time other than leaking as many as 17,649 audio recordings with credit card numbers and private customer files.
There is also 375,368 audio recordings that can be qualified as "cold calls", with some of those containing personal information as well.
The internet if full of complaints of how VICI Marketing LLC operates or claims and allegations from former employees. When searching for customer reviews and employee comments we discovered a blog post describing how VICI would give customers a promotional gift if they only pay for the shipping. They offered Skin DM/RejuvaGlow cream that was supposed to cost $3.95 and ended up costing $92.61 after everything was over. A former employee by the name of Justin Tyme says:
“For everyone's knowledge the name of the actual company ripping you off is VICI Marketing LLC, it is a company based out of Largo FL. I worked here for a period of time not knowing what kind of scams they were pulling on people, but it didn't take me long to realize what was REALLY going on, It would take ages to explain in detail the elaborate scam these people have going on, but what I can tell you is that they advertise these products (which usually can be purchased in drug stores for $20 or less) in hopes that the consumer will either not read the terms and conditions, or simply forget to call in and cancel…and believe me IT HAPPENS OFTEN. By the time the consumer realizes what has happen they have already been bill in excess of $100 or more….when the customer calls in for a refund, they make it sound like you can't get one by offering them to keep the products and only giving them partial refunds. Im sure there are some of you who returned the product to sender and refused shipments right? And when you call in to ask about your refund your told that you can't have one because you didn't send the product back properly and it wasn't processed back into the warehouse!!! The very same person telling you that can clearly see in your account that the product has been return successfully but they mark it “no RMA” so the company knows not to give your money back.”
Although we can not verify the claims of former employees many of the complaints online tell the same story and describe exactly the same sales and billing methods.
This publication will updated as soon as investigation continues.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
For more information or media requests please contact firstname.lastname@example.org