Federal Trade Commission takes action against Global Tel*Link Corp for failing to secure Data and notifying consumers
November 20, 2023 |
The US Federal Trade Commission (“FTC”) is the most active Federal regulator in the United States of privacy and data breaches. It has its fair share of critics but is frenetic compared to Australian regulators. It has announced that it has taken action against Global Tel*Link Corp, a prison communications provider. It alleges that Global failed to secure sensitive personal information of hundreds of thousands of users by posting unencrypted personal information of 650,000 users in the cloud in August 2020 without firewall protection, encryption and monitoring software. It was only when a security researcher alerted the Global that it became aware of the problem. In the meantime hackers accessed billiions of bytes of this exposed data and put it on the dark web and was so advised in September 2020. Global waited 9 months to notify affected customers and in any event only notified 45,000. It has been reported in arstechnica with Prison phone company leaked 600K users’ data and didn’t notify them, FTC says.
The FTC media release provides:
The Federal Trade Commission will require prison communications provider Global Tel*Link Corp. and two of its subsidiaries to notify consumers of any future data breaches as part of a proposed settlement over charges they failed to secure sensitive data of hundreds of thousands of users stored in a cloud environment and failed to alert all those affected by the incident.
In a complaint, the FTC says that Falls Church, Va.,-based Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing.
“The FTC is committed to protecting the rights to privacy and security of personal information for all consumers, including incarcerated consumers and their loved ones,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “When consumers have little or no choice about whether to use a business’s products or services, the business has an even greater responsibility to ensure that its practices don’t cause harm.”
Global Tel*Link, which also does business as GTL and ViaPath Technologies, contracts with federal, state, and local jails, prisons, and similar institutions to provide communications services such as phone and video calls and payment services for incarcerated individuals. In the course of providing their services, Global Tel*Link and its subsidiaries collect personal information from consumers including their names, addresses, government identification numbers such as passport numbers or driver’s license numbers, Social Security numbers, and financial account information.
In marketing and other materials, Global Tel*Link touted its security practices by claiming that data security is “the cornerstone of what we do” and that it implemented a security architecture that included many safeguards such as encryption to ensure that its users’ data would not fall into the “wrong hands.”
The FTC says, however, that Global Tel*Link, failed to live up to these claims. In August 2020, as part of an effort to test new search software, the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data. For example, Global Tel*Link stored the data in plain text and failed to deploy a firewall to protect the copied data, implement monitoring software that would have alerted the company if the security settings were changed, and inventory and track the consumer information uploaded to the copied data, according to the complaint. The copied data included individuals’ full names, dates of birth, phone numbers, usernames or email addresses in combination with passwords, Social Security numbers, location information, grievance forms, which can include very sensitive information, and messages exchanged between incarcerated individuals and their friends and family.
As a result of changes made by the company’s third-party vendor to the security settings for the data stored in the cloud, the personal data of many Global Tel*Link customers was left accessible via the internet without any safeguards to prevent unauthorized people from accessing and removing data from the test site—until a security researcher alerted the company about the security holes. A forensic analysis showed that a handful of hackers accessed billions of bytes of the exposed data. In early September, Global Tel*Link was notified again by an identity monitoring company that personal data belonging to Global Tel*Link users was available on the dark web, which is a collection of websites that are used to buy and sell illegally obtained personal data for fraud, identity theft and other nefarious purposes.
Despite this, Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach. This nine-month delay harmed users who did not have an opportunity to take actions to protect themselves from identity theft by implementing a credit freeze or other measures, according to the complaint. The company also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach.
As part of the proposed order with the FTC, Global Tel*Link and two of its subsidiaries are prohibited from misrepresenting their data security practices and will be required, among other things, to:
-
- implement a comprehensive data security program that includes several requirements such as the deployment of “change management” measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores;
- notify users of its products affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products;
- notify consumers and facilities within 30 days about future data breaches or security incidents that trigger any federal, state, or local breach reporting requirements and provide information about what data was impacted and how many consumers were affected; and
- notify the FTC within 10 days of reporting a security incident to any local, state or federal authorities.
The arstechnica article provides:
Prison phone company Global Tel*Link leaked the personal information of nearly 650,000 users and failed to notify most of the users that their personal data was exposed, the Federal Trade Commission said today. The company agreed to a settlement that requires it to change its security practices and offer free credit monitoring and identity protection to affected users, but the settlement doesn’t include a fine.
“Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing,” the FTC said.
Global Tel*Link has long been controversial because of the prices it charges for inmate-calling services. The company rebranded itself as ViaPath Technologies last year. The subsidiaries targeted in the FTC complaint are Telmate and TouchPay Holdings.
A security researcher notified Global Tel*Link of the breach on August 13, 2020, according to the FTC’s complaint. This happened just after “the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data,” the FTC said.
The data was copied to a test environment built on the Amazon Web Services cloud platform to test a new version of a search software product. For about two days, the data was in the test environment and “accessible via the Internet without password protection or other access controls,” the FTC said.
Some users notified… 9 months later
After hearing from the security researcher, Global Tel*Link reconfigured the test environment to cut off public access. But a few weeks later, the firm was notified by an identity monitoring vendor that the data was available on the dark web. Global Tel*Link didn’t notify any users until May 2021, and even then, it only notified a subset of them, according to the FTC.
“Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach,” the FTC said. “This nine-month delay harmed users who did not have an opportunity to take actions to protect themselves from identity theft by implementing a credit freeze or other measures… The company also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach.”
On multiple occasions after the breach, Global Tel*Link denied ever having a security breach in responses to prison facilities’ Requests for Proposals (RFPs), the complaint said. The company’s RFP responses claimed it had “never experienced a data security breach or had not experienced a data security breach within a particular time frame that includes the dates of the Incident,” the FTC said.
Users reported credit card fraud
The company publicly acknowledged what it called a “vulnerability” in September 2020 in a statement published by the news site Comparitech. The FTC complaint alleged that Global Tel*Link’s statement to Comparitech was false or misleading regarding the severity of the incident and the risk to consumers.
In November 2020, Global Tel*Link “received multiple complaints from consumers stating that the consumers’ personally identifiable information obtained from Respondents had been located on the dark web,” the FTC said. “This personally identifiable information included names, addresses, phone numbers, dates of birth, and driver’s license issue states. Some consumer complaints also indicated that consumers had been alerted to fraudulent transactions on their credit cards following the Incident.”
The FTC complaint said the exposed information included “full names; dates of birth; phone numbers; usernames or email addresses in combination with passwords; home addresses; driver’s license numbers; passport numbers; location information; information about individuals’ race, religion, and whether they are transgender; approximately 80,000 grievances submitted by incarcerated consumers to Facilities; and the content, dates and times, senders, and recipients of approximately 75,000 written messages that incarcerated and non-incarcerated users had exchanged using Respondents’ services. In numerous instances, the written messages contained payment card numbers, financial account information, and Social Security numbers.”
Settlement terms
The complaint said that Global Tel*Link violated the Federal Trade Commission Act’s section on unfair or deceptive acts or practices and charged the firm with unfair data security practices, unfair failure to notify affected consumers of the incident, misrepresentations regarding data security, misrepresentations to individual users regarding the incident, misrepresentations to individual users regarding notice, and deceptive representations to prison facilities regarding the incident.
To settle the charges, the company agreed to new security protocols, including “‘change management’ measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores,” the FTC said.
Global Tel*Link also has to notify the affected users who were not previously notified of the breach and provide them with credit monitoring and identity protection products. The product must include $1,000,000 worth of identity theft insurance to cover costs related to identity theft or fraud. The company must also notify consumers and prison facilities within 30 days of future data breaches and notify the FTC of the incidents, the agency said.
The settlement was approved by the FTC but is not final. It will be published in the Federal Register and be subject to a 30-day public comment period during which people could object to the agreement.
Violations of the settlement could result in fines of $50,120 for each violation, the FTC said. We contacted Global Tel*Link today and will update this article if the company responds.