The recorded telephone calls of 200,000 customers were left exposed on a cloud server for three years, an investigation by Verdict found.
The firm behind the brand – Truly Travel – has now reported the breach to the Information Commissioner’s Office.
The audio files were recorded between April and August 2016.
Verdict claims that in some recordings it heard, partial credit card numbers are spoken.
The audio files were stored on an Amazon Web Services in the latest in a long line of security issues for businesses using the cloud.
Truly Travel, which trades under the name Teletext Holidays, told the BBC: “Our booking procedure does not allow agents to take card numbers over the phone. Customers are asked to punch their card details into a secure automated system. If a customer attempts to give their card information verbally, they are stopped by the agent.”
It added: “Once the matter was brought to our attention, we immediately secured the files in question. We have contacted the Information Commissioner’s Office.”
The calls ranged from a few minutes to up to an hour and involved discussion of holiday details. In some heard by Verdict people begin to say their card number.
When firms take credit card numbers, whether spoken or tapped into a phone, they are obliged to mute this section of the call.
Security consultant Graham Cluley said: “Most consumers accept that recordings may be kept for ‘training purposes’, but you also expect them to be stored securely and certainly not left lying around in an internet-connected bucket where any Tom, Dick or Harry could access them with malicious intent.
“Things are made even more serious by the fact that some of these records had transcriptions, making it even easier for a criminal to scour through the database to access information that they could monetise with fraudulent intent.”