How did the Be Call Group data breach occur?

While no specific vulnerability has been cited as the root cause, attackers likely gained a foothold into Be Call Group's network using compromised corporate credentials. This was likely accomplished via targeted spear-phishing or by exploiting public-facing remote access gateways. Once inside, the threat actor harvested credentials and mapped the active integration points connecting the BPO provider to TIGO Colombia.

What information was leaked in the Be Call Group incident?

The leak consists of a 1 GB archive containing approximately 9.7 million records. Critically, the dataset includes internal connection parameters, active network and email accounts, and integration keys or login credentials needed to access TIGO Colombia's client applications. This presents an immediate risk of unauthorized access to downstream telecom applications.

What steps should enterprises take to mitigate third-party BPO risk?

Organizations should enforce strict zero-trust access control. This includes requiring multi-factor authentication (MFA) for all partner connections, restricting access to whitelisted static IP ranges, continuously monitoring API usage for anomalies, and rotating all shared credentials regularly. Furthermore, security teams should conduct continuous attack surface management to detect exposed access portals.

Back to Threat Intelligence

supply chainhigh

Be Call Group Leak Exposes Downstream Access

A substantial data leak involving Be Call Group, a contact center BPO partner of TIGO Colombia, has exposed 1 GB of data containing 9.7 million records and direct connection credentials. Discover how attackers abuse third-party trust relationships and how to protect your enterprise network.

Published: June 24, 2026Source date: June 24, 2026Check your domain

Be Call Group Leak Exposes Downstream Access

Be Call Group Leak Highlights

Exfiltrated Data Size

0 GB

Exposed Records

Downstream Clients Affected

Supply Chain Vulnerability Risk Rating

High potential for downstream lateral movement and credential abuse.

0.0

/ 10.0 custom

High Risk

BPO to Enterprise Downstream Compromise Flow

1Initial Accessmedium
Spear-phishing or remote-access vulnerability (e.g. Lumma, AgentTesla)
medium
2Credential Harvestingmedium
Gather Active Directory and internal email accounts
medium
3Target Integration Mappinghigh
Identify API endpoints, credentials, and VPN configurations for TIGO
high
4Exfiltration & Leakhigh
Exfiltrate 1 GB of data and publish details to cybercrime forums
high
5Downstream Exploitationcritical
Abuse trusted integrations to compromise downstream customer systems
critical

Adversary TTP Mapping

Initial Access

T1190

Exploit Public-Facing Application

T1566

Phishing

Execution & Lateral Movement

T1078

Valid Accounts

Command and Control

T1199

Trusted Relationship

Exfiltration

T1020

Automated Exfiltration

Suspected Target Infrastructure & Host IoCs

domain
becallgroup.com
Primary target domain
domain
becallgroup.com
Primary target domain
domain
becallgroup.es
Target infrastructure domain
domain
becallgroup.es
Target infrastructure domain
email
[email protected]
Compromised / monitored contact email
email
[email protected]
Compromised / monitored contact email
email
[email protected]
Compromised / monitored contact email
email
[email protected]
Compromised / monitored contact email
ip
190.145.11.98
BECALL BPO mapped asset
ip
190.145.11.98
BECALL BPO mapped asset
ip
190.145.11.100
edocs.hmtserver.net
ip
190.145.11.100
edocs.hmtserver.net
ip
190.145.11.110
dtv.hmtserver.net
ip
190.145.11.110
dtv.hmtserver.net
ip
190.145.11.118
edocs01.hmtserver.net
ip
190.145.11.118
edocs01.hmtserver.net
ip
94.125.143.156
becallgroup.es
ip
94.125.143.156
becallgroup.es

Proactive Defense & Hardening Matrix

L1
Perimeter & Network Security
Implement strict IP Geofencing and VPN whitelistsContinuous external attack surface scanning of BPO partners
L2
Identity & Access Control
Revoke and force reset all BPO user sessionsMandate hardware-based Multi-Factor Authentication (MFA)
L3
Integration & API Security
Rotate all system-to-system credentials and API tokensEnforce continuous auditing on integration portals

Be Call Group Leak Exposes Downstream Access | Femto Security Threat Intelligence

Be Call Group Leak Exposes Downstream Access

Be Call Group Leak Exposes Downstream Access

Key Takeaways

Be Call Group Leak Highlights

Supply Chain Vulnerability Risk Rating

BPO to Enterprise Downstream Compromise Flow

Adversary TTP Mapping

Suspected Target Infrastructure & Host IoCs

Proactive Defense & Hardening Matrix

How to Defend Against Similar Threats

Threat Intel FAQ

Could a similar threat affect your organization?