Prison Phone leaked the data of 600,000 users and did not inform them

An anonymous reader quotes a report from Ars Technica: Prison phone company Global Tel*Link leaked the personal information of nearly 650,000 users and failed to notify most users that their personal data had been exposed, the Federal Trade Commission said today. The company agreed to a settlement requiring it to change its security practices and provide free credit monitoring and identity protection to affected users, but the settlement does not include a fine. “Global Tel*Link and two of its affiliates failed to implement adequate security safeguards to protect the personal information they collect from users of their services, enabling bad actors to access unencrypted personal information stored in the cloud and use it for testing,” the FTC said.

A security researcher reported the breach to Global Tel*Link on August 13, 2020, according to the FTC complaint (PDF). This happened right after “the company and a third-party vendor copied a large amount of sensitive, unencrypted personal information about approximately 650,000 real-life users of its products and services to the cloud but failed to take adequate steps to protect the data,” the FTC said. He said. Data was copied to an Amazon Web Services test environment to test a new version of the search software product. For about two days, the data was in the test environment and “accessible over the Internet without password protection or other access controls,” the FTC said. After listening to the security researcher, Global Tel*Link reconfigured the test environment to cut off public access. But a few weeks later, the company was notified by an identity monitoring vendor that the data was available on the dark web. Global Tel*Link did not notify any users until May 2021, and even then, it only notified a subset of them, according to the FTC. (…)

The complaint said Global Tel*Link violated the FTC’s Unfair or Deceptive Acts or Practices Act section and charged the company with unfair data security practices, unfairly failing to notify affected consumers of the incident, misrepresenting data security, and misrepresenting individuals. users in connection with the Incident, misrepresentations of individual users in connection with the Notice, and deceptive representations of prison facilities in connection with the Incident. To settle the charges, the company agreed to new security protocols, including “change management measures” for all of its systems to help reduce the risk of human error, the use of multi-factor authentication, and procedures to reduce the amount of data it collects and stores,” the FTC said. Global Tel*Link must also notify affected users who were not previously notified of the breach and provide them with credit monitoring and identity protection products. The product must include $1 million in identity theft insurance to cover costs related to identity theft or fraud. The company must also notify consumers and prison facilities within 30 days of future data breaches and notify the Federal Trade Commission of the incidents, the agency said. Violations of the settlement could result in fines of $50,120 per violation, the FTC said.