CallMor Data Breach Exposes 60GB of Customer Communication Data

The CallMor data breach has been listed by the BEAST ransomware group after the threat actor added the U.S.-based cloud communications company to its dark web leak site. The listing claims that attackers stole approximately 60GB of internal data, including sensitive communication logs, customer information, and corporate documents. The data remains marked as unpublished, suggesting that ransom negotiations may still be ongoing or that the group is preparing to release it publicly.

BEAST’s targeting of CallMor highlights a growing trend of ransomware operations aimed at telecommunications and business communication platforms. These companies manage large volumes of sensitive client information, call metadata, and system credentials, which are highly valuable on the black market. The CallMor data breach is part of a recent wave of coordinated cyberattacks by BEAST that also included entities in Brazil, Pakistan, and India.

Background on CallMor

CallMor, accessible via ringmor.com, provides virtual phone system services for businesses across North America. The company offers cloud-based communication solutions designed to simplify connectivity between employees, clients, and remote teams. According to the ransomware leak site, CallMor’s estimated annual revenue is $5.4 million, and its services are focused on delivering reliable VoIP and customer support solutions with no hidden fees.

CallMor advertises unlimited communication options and 24/7 customer service. Its cloud infrastructure stores business contacts, phone records, and client support information, making it an attractive target for cybercriminals. A successful ransomware attack against such a company could expose not only its internal data but also the communications and operational details of its clients.

Details of the CallMor Data Breach

The CallMor data breach was added to BEAST’s leak portal on November 1, 2025. The listing describes the stolen data as totaling 60GB and categorizes the breach as “unpublished.” This means the attackers are either still negotiating payment or are waiting for an opportune time to release the files. The post includes CallMor’s company website, revenue estimate, and technical data size, which are typical indicators that the ransomware group obtained access to backend systems or internal documentation.

While BEAST did not publish data samples, the listing suggests the attackers have access to detailed customer information, including:

• Business contact details such as phone numbers and email addresses
• Client account data and service logs
• Internal communication and configuration files
• Support documentation and employee data
• VoIP and cloud management credentials

Even without leaked samples, the breach poses a major concern because of the nature of CallMor’s business. Communications providers handle sensitive information that can be weaponized for phishing, identity theft, or corporate espionage. If the full 60GB is released, it could reveal large amounts of customer data and potentially disrupt client operations.

About the BEAST Ransomware Group

The BEAST ransomware group emerged in mid-2025 and has since become known for coordinated global campaigns. The group employs a double-extortion model, encrypting systems while simultaneously exfiltrating sensitive data to pressure victims into paying ransom. Unlike some groups that rely solely on encryption, BEAST prioritizes public exposure as a form of leverage.

Recent BEAST attacks include incidents involving manufacturing, government, and telecommunication companies. Their leak site typically includes revenue estimates, company descriptions, and sometimes website URLs to validate the authenticity of their claims. In early November 2025, BEAST added three victims in a single update: Noroaco in Brazil, Punjab Forensic Science Agency in Pakistan, and CallMor in the United States. This pattern shows that BEAST targets diverse industries with consistent precision.

Timeline of the Attack

Based on the available data, the CallMor data breach likely occurred in late October 2025. The listing was first observed on November 1, 2025, and remains active on BEAST’s dark web portal. There is no public evidence of data release yet, and the company has not confirmed or denied the incident.

Typically, ransomware operators give victims one to two weeks to respond before making the data public. Since CallMor’s listing remains unpublished as of November 9, it suggests the ransom deadline may still be active. The 60GB dataset size is moderate compared to other BEAST cases but still significant enough to include confidential corporate information and communications data.

Possible Method of Intrusion

While BEAST has not disclosed the attack vector used in the CallMor data breach, the group often employs common tactics such as:

• Exploiting vulnerabilities in cloud or VoIP infrastructure
• Using phishing campaigns to harvest administrator credentials
• Gaining access through weak or reused passwords
• Deploying remote access trojans (RATs) or malware loaders before exfiltration

CallMor’s cloud architecture and customer-facing services could have been exploited through insecure APIs or outdated software dependencies. Many cloud communication providers rely on third-party integrations that can expand the attack surface, making it easier for ransomware groups to identify weak points.

Impact of the CallMor Data Breach

The potential impact of the CallMor data breach extends beyond the company itself. If confirmed, the breach could expose sensitive communication data from thousands of business clients, including internal call logs, message metadata, and customer support transcripts. These types of data leaks are often exploited for targeted phishing or business email compromise (BEC) attacks.

For CallMor, the consequences may include regulatory fines, reputational harm, and service disruptions. The exposure of customer communication data could lead to violations under U.S. data protection laws and industry standards such as SOC 2 and ISO 27001 compliance frameworks. Clients may also reconsider their partnerships with the company if trust in its data handling practices declines.

Wider Industry Context

Ransomware attacks against communication service providers have surged throughout 2025. Groups like BEAST, Qilin, and 8Base have shifted focus from manufacturing to technology and cloud-based companies that manage sensitive customer interactions. These organizations tend to pay ransoms more frequently to avoid customer data exposure and operational downtime.

Telecom and communication technology providers are especially vulnerable due to their reliance on interconnected systems and real-time services. Even brief disruptions caused by ransomware can cripple operations and customer support. For BEAST, targeting companies like CallMor demonstrates a strategy aimed at exploiting high-value sectors with urgent recovery needs.

BEAST’s Growing Data Leak Network

BEAST continues to add international victims to its leak site, showing signs of organized expansion. The inclusion of U.S., Brazilian, and Pakistani entities in a single campaign points to a distributed ransomware operation possibly involving affiliate partners. Analysts suggest BEAST may operate under a ransomware-as-a-service (RaaS) model, where affiliates carry out attacks in exchange for a share of ransom profits.

The group’s leak site follows the same pattern for each victim: a company description, estimated revenue, website address, and total data size. CallMor’s 60GB breach listing aligns with this format. Although BEAST is not yet as prolific as major ransomware brands like LockBit or BlackCat, it has rapidly gained notoriety for its consistent targeting of smaller and mid-sized enterprises.

Company Response

As of now, CallMor has not issued an official statement or acknowledgment of the breach. This silence is common during ongoing investigations or ransom negotiations. Companies under attack often avoid public comment to prevent escalating the situation or interfering with recovery efforts. Cybersecurity researchers are actively monitoring BEAST’s dark web site for any updates or file releases related to the CallMor data breach.

If CallMor confirms the incident, regulators may require mandatory disclosure depending on the data’s content and jurisdiction. U.S. laws typically require companies to notify affected individuals if personal or financial information is compromised. Businesses that rely on CallMor’s services should assume that data exposure is possible and take precautionary measures immediately.

Security Recommendations

Experts recommend several key actions for businesses that may be affected by the CallMor data breach or similar incidents:

• Change all CallMor account passwords and enable multifactor authentication
• Review communication records for suspicious activity
• Notify clients and partners about potential exposure
• Perform a full malware and ransomware scan using reputable software such as Malwarebytes
• Monitor financial accounts for signs of fraud or unauthorized transfers
• Implement network segmentation to limit future breaches

For organizations, prevention remains the most effective defense. Regular security audits, staff training, and proactive patching can significantly reduce the risk of compromise. Companies should also keep offline backups of critical data and maintain clear incident response procedures to minimize damage in the event of ransomware infection.

Ongoing Monitoring

At the time of writing, no files from the CallMor data breach have been published. BEAST typically releases stolen data within days of missed ransom deadlines, so the situation continues to evolve. Cybersecurity experts are urging affected businesses to monitor BEAST’s leak portal and remain alert for phishing campaigns or scams that reference the breach.

The attack underscores the continuing vulnerability of small and mid-sized technology firms in the current ransomware landscape. With communication data becoming one of the most valuable forms of corporate intelligence, attacks against service providers like CallMor are likely to continue.

The CallMor data breach demonstrates how ransomware groups like BEAST exploit the dependency of businesses on reliable, private communications. As the situation develops, analysts will continue tracking whether the stolen data surfaces online or is sold privately through underground forums. For now, the listing stands as another example of how even smaller tech companies are not immune to sophisticated cyber extortion.

For ongoing updates about the latest data breaches and current cybersecurity incidents, visit Botcrawl for detailed reports, expert insights, and breach tracking coverage.