Call logs are printed on every billing statement by default. I believe it may even include SMS messages in some cases.
This data has likely proliferated widely throughout the company, subsidiaries and contractors, to reside on an unknowable number of systems. I would assume call record metadata is fully compromised at this point.
That’s not to take away from the finding in the blog – I’m merely commenting on the question in its conclusion, about the implications of a barely know technology vendor controlling the vulnerable server holding this data.
A while ago I worked on a system handling call records for a large telco. Call records were considered sensitive information at that company, and distributed only where definitely needed. I'm sure security wasn't bulletproof, but there were regular audits to check that employees and contractors didn't store records in places they weren't supposed to.
One of the main functions of the system that I worked on was to create various anonymous and/or aggregated versions of the data, which could be distributed and used more widely (for stuff like fraud detection, network provisioning, marketing...).
This data has likely proliferated widely throughout the company, subsidiaries and contractors, to reside on an unknowable number of systems. I would assume call record metadata is fully compromised at this point.
That’s not to take away from the finding in the blog – I’m merely commenting on the question in its conclusion, about the implications of a barely know technology vendor controlling the vulnerable server holding this data.