Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Prison phone company blamed for data breach affecting thousands of users

Altes telefon.

A company that provides telecommunications services to people in prison failed to properly protect the sensitive data it had on its users. As a result, the data leaked on the dark web, some victims’ identities were abused, and in some instances - their credit cards were fraudulently charged, as well. 

The news was revealed by the US Federal Trade Commission (FTC), which settled its case with Global Tel*Link Corp, with the settlement including two of its subsidiaries, too - Telmate and TouchPay Holdings. 

According to the filing, back in mid-2020, the company wanted to test a new version of a search software product. To that end, it copied a database holding entries on 650,000 real users to a test environment on Amazon Web Services (AWS). For roughly two days, the data sitting in the test environment was not protected by a password, or any other means of control. Two days later, the company was notified by a security researcher that the database was out in the open, but it was already too late. Even though Global Tel*Link locked the files down, they soon emerged on a forum on the dark web. 


Making things worse

The data that was stolen contained enough information to mount not just identity theft or phishing attacks, but wire fraud, too.

It included "full names; dates of birth; phone numbers; usernames or email addresses in combination with passwords; home addresses; driver's license numbers; passport numbers; location information; information about individuals' race, religion, and whether they are transgender; approximately 80,000 grievances submitted by incarcerated consumers to Facilities; and the content, dates and times, senders, and recipients of approximately 75,000 written messages that incarcerated and non-incarcerated users had exchanged using Respondents' services. 

In numerous instances, the written messages contained payment card numbers, financial account information, and Social Security numbers,” the FTC’s document reads.

The FTC also said that some consumers complained to the company, saying they found their sensitive data on the dark web: “Some consumer complaints also indicated that consumers had been alerted to fraudulent transactions on their credit cards following the Incident."

But that’s just the tip of the iceberg. Apparently, Global Tel*Link Corp only made things worse by falsely advertising it had never been breached. Also, it took nine months to notify the affected individuals and even when it did, it only notified a portion - some 45,000 people. 

Global Tel*Link Corp settled the case with the FTC by promising to upgrade its security practices and offer free credit monitoring and identity protection to affected users. The settlement doesn’t seem to include any fines.

Via Ars Technica

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.