Prison phone company blamed for data breach affecting thousands of users

altes telefon
(Image credit: ( © Alex))

A company that provides telecommunications services to people in prison failed to properly protect the sensitive data it had on its users. As a result, the data leaked on the dark web, some victims’ identities were abused, and in some instances - their credit cards were fraudulently charged, as well. 

The news was revealed by the US Federal Trade Commission (FTC), which settled its case with Global Tel*Link Corp, with the settlement including two of its subsidiaries, too - Telmate and TouchPay Holdings. 

According to the filing, back in mid-2020, the company wanted to test a new version of a search software product. To that end, it copied a database holding entries on 650,000 real users to a test environment on Amazon Web Services (AWS). For roughly two days, the data sitting in the test environment was not protected by a password, or any other means of control. Two days later, the company was notified by a security researcher that the database was out in the open, but it was already too late. Even though Global Tel*Link locked the files down, they soon emerged on a forum on the dark web. 

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Making things worse

The data that was stolen contained enough information to mount not just identity theft or phishing attacks, but wire fraud, too.

It included "full names; dates of birth; phone numbers; usernames or email addresses in combination with passwords; home addresses; driver's license numbers; passport numbers; location information; information about individuals' race, religion, and whether they are transgender; approximately 80,000 grievances submitted by incarcerated consumers to Facilities; and the content, dates and times, senders, and recipients of approximately 75,000 written messages that incarcerated and non-incarcerated users had exchanged using Respondents' services. 

In numerous instances, the written messages contained payment card numbers, financial account information, and Social Security numbers,” the FTC’s document reads.

The FTC also said that some consumers complained to the company, saying they found their sensitive data on the dark web: “Some consumer complaints also indicated that consumers had been alerted to fraudulent transactions on their credit cards following the Incident."

But that’s just the tip of the iceberg. Apparently, Global Tel*Link Corp only made things worse by falsely advertising it had never been breached. Also, it took nine months to notify the affected individuals and even when it did, it only notified a portion - some 45,000 people. 

Global Tel*Link Corp settled the case with the FTC by promising to upgrade its security practices and offer free credit monitoring and identity protection to affected users. The settlement doesn’t seem to include any fines.

Via Ars Technica

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.