Prison phone company Global Tel*Link leaked the personal information of nearly 650,000 users and failed to notify most of the users that their personal data was exposed, the Federal Trade Commission said today. The company agreed to a settlement that requires it to change its security practices and offer free credit monitoring and identity protection to affected users, but the settlement doesn’t include a fine.
“Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing,” the FTC said.
Global Tel*Link has long been controversial because of the prices it charges for inmate-calling services. The company rebranded itself as ViaPath Technologies last year. The subsidiaries targeted in the FTC complaint are Telmate and TouchPay Holdings.
A security researcher notified Global Tel*Link of the breach on August 13, 2020, according to the FTC’s complaint. This happened just after “the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data,” the FTC said.
The data was copied to an Amazon Web Services test environment to test a new version of a search software product. For about two days, the data was in the test environment and “accessible via the Internet without password protection or other access controls,” the FTC said.
Some users notified… 9 months later
After hearing from the security researcher, Global Tel*Link reconfigured the test environment to cut off public access. But a few weeks later, the firm was notified by an identity monitoring vendor that the data was available on the dark web. Global Tel*Link didn’t notify any users until May 2021, and even then, it only notified a subset of them, according to the FTC.
“Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach,” the FTC said. “This nine-month delay harmed users who did not have an opportunity to take actions to protect themselves from identity theft by implementing a credit freeze or other measures… The company also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach.”
On multiple occasions after the breach, Global Tel*Link denied ever having a security breach in responses to prison facilities’ Requests for Proposals (RFPs), the complaint said. The company’s RFP responses claimed it had “never experienced a data security breach or had not experienced a data security breach within a particular time frame that includes the dates of the Incident,” the FTC said.