A recent exposure involving Hello Gym, a Minnesota-based provider of call handling and lead-management tools for fitness franchises, shows how dangerous unsecured audio can be. An internet-reachable storage bucket—left open without a password or encryption—contained 1,605,345 MP3 recordings of phone calls and voicemails dating roughly 2020–2025. Spot checks revealed member names, phone numbers, and call context such as billing questions, renewals, and payment updates. After responsible disclosure, access was closed within hours. Corporate teams at major brands indicated they don’t centrally record calls; instead, franchise locations had adopted a third-party system. How long the trove was exposed and whether anyone else accessed it are unknown without a formal forensic review. The point isn’t blame—it’s the lesson: voice data is uniquely risky in an era of cheap, convincing deepfakes.
Unlike a spreadsheet or an email, a voice clip is biometric. With only a few seconds of clean audio, today’s models can synthesize highly realistic speech in a specific person’s voice. Combine that cloning potential with the context embedded in call recordings (who called, when, and why), and criminals gain everything they need to craft persuasive vishing and social-engineering schemes: “We’re finalizing your renewal from last Thursday—can you confirm the card on file?” Some recordings reportedly captured employee verification steps—names, location IDs, even passwords given to internal support—and one call described disabling a security alarm for testing. Details like these can be repurposed to request refunds, alter accounts, or attempt after-hours entry. At scale, automated transcription turns millions of clips into a searchable intelligence trove that maps people, processes, and schedules.
Regulators are catching up. In the U.S., the FTC has stated that recordings can qualify as biometric information when voiceprints can identify a person. States such as Illinois (BIPA), Texas, Washington, and California already treat certain voice data as sensitive, signaling growing legal exposure for organizations that capture and store audio indefinitely or secure it poorly. That means the fallout from an audio leak isn’t just privacy harm and operational abuse—it can include regulatory penalties and litigation.
How organizations can reduce the blast radius
- Don’t capture secrets on calls. Prohibit recording of passwords, PINs, 2FA codes, or alarm phrases; move verification to secure, non-recorded channels.
- Lock down storage by default. Private buckets only, enforced authentication, encryption at rest and in transit, least-privilege access, and detailed audit logs.
- Shorten retention and segment archives. Keep only what’s necessary, isolate recording stores from other systems, and avoid single repositories holding years of audio.
- Automate minimization. Use redaction/transcription pipelines to mask names, numbers, and payment fragments where possible.
- Harden VoIP/admin consoles. Enforce MFA, rotate keys regularly, restrict by role and source IP, and alert on anomalous access.
- Verify your vendors. Demand clear evidence of controls (e.g., SOC 2/ISO 27001), key management practices, incident-response plans, and defined retention policies.
- Find exposures before attackers do. Run periodic external attack-surface scans and independent penetration tests focused on storage misconfiguration.
Practical advice for individuals
Treat surprise calls about billing or account changes with caution—even if the caller knows real details. Hang up and call back using the number on the gym’s website or app. Prefer official portals for payments and updates instead of reading details over the phone. Establish family or team passphrases for urgent requests, and harden your personal accounts (MFA, current OS and apps, login alerts) to limit downstream damage if impersonation occurs.
The lesson from the Hello Gym incident is simple: if you record calls, you’re stewarding biometric identity plus context. In the deepfake era, that combination dramatically increases the payoff for attackers. Encrypting, minimizing, segregating, and strictly governing voice data—while eliminating sensitive content from recordings altogether—are no longer nice-to-haves. They’re table stakes for operating safely in 2025.
