A company that provides telecommunications services to people in prison failed to properly protect the sensitive data it had on its users. As a result, the data leaked on the dark web, some victims’ identities were abused, and in some instances – their credit cards were fraudulently charged, as well.
The news was revealed by the US Federal Trade Commission (FTC), which settled its case with Global Tel*Link Corp, with the settlement including two of its subsidiaries, too – Telmate and TouchPay Holdings.
According to the filing, back in mid-2020, the company wanted to test a new version of a search software product. To that end, it copied a database holding entries on 650,000 real users to a test environment on Amazon Web Services (AWS). For roughly two days, the data sitting in the test environment was not protected by a password, or any other means of control. Two days later, the company was notified by a security researcher that the database was out in the open, but it was already too late. Even though Global Tel*Link locked the files down, they soon emerged on a forum on the dark web.
Making things worse
The data that was stolen contained enough information to mount not just identity theft or phishing attacks, but wire fraud, too.
It included “full names; dates of birth; phone numbers; usernames or email addresses in combination with passwords; home addresses; driver’s license numbers; passport numbers; location information; information about individuals’ race, religion, and whether they are transgender; approximately 80,000 grievances submitted by incarcerated consumers to Facilities; and the content, dates and times, senders, and recipients of approximately 75,000 written messages that incarcerated and non-incarcerated users had exchanged using Respondents’ services.
In numerous instances, the written messages contained payment card numbers, financial account information, and Social Security numbers,” the FTC’s document reads.
The FTC also said that some consumers complained to the company, saying they found their sensitive data on the dark web: “Some consumer complaints also indicated that consumers had been alerted to fraudulent transactions on their credit cards following the Incident.”
But that’s just the tip of the iceberg. Apparently, Global Tel*Link Corp only made things worse by falsely advertising it had never been breached. Also, it took nine months to notify the affected individuals and even when it did, it only notified a portion – some 45,000 people.
Global Tel*Link Corp settled the case with the FTC by promising to upgrade its security practices and offer free credit monitoring and identity protection to affected users. The settlement doesn’t seem to include any fines.
Via Ars Technica