Prison Phone Company Leaked 600,000 Users' Data and Didn't Notify Them (arstechnica.com) 45
An anonymous reader quotes a report from Ars Technica: Prison phone company Global Tel*Link leaked the personal information of nearly 650,000 users and failed to notify most of the users that their personal data was exposed, the Federal Trade Commission said today. The company agreed to a settlement that requires it to change its security practices and offer free credit monitoring and identity protection to affected users, but the settlement doesn't include a fine. "Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing," the FTC said.
A security researcher notified Global Tel*Link of the breach on August 13, 2020, according to the FTC's complaint (PDF). This happened just after "the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data," the FTC said. The data was copied to an Amazon Web Services test environment to test a new version of a search software product. For about two days, the data was in the test environment and "accessible via the Internet without password protection or other access controls," the FTC said. After hearing from the security researcher, Global Tel*Link reconfigured the test environment to cut off public access. But a few weeks later, the firm was notified by an identity monitoring vendor that the data was available on the dark web. Global Tel*Link didn't notify any users until May 2021, and even then, it only notified a subset of them, according to the FTC. [...]
The complaint said that Global Tel*Link violated the Federal Trade Commission Act's section on unfair or deceptive acts or practices and charged the firm with unfair data security practices, unfair failure to notify affected consumers of the incident, misrepresentations regarding data security, misrepresentations to individual users regarding the incident, misrepresentations to individual users regarding notice, and deceptive representations to prison facilities regarding the incident. To settle the charges, the company agreed to new security protocols, including "'change management' measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores," the FTC said. Global Tel*Link also has to notify the affected users who were not previously notified of the breach and provide them with credit monitoring and identity protection products. The product must include $1,000,000 worth of identity theft insurance to cover costs related to identity theft or fraud. The company must also notify consumers and prison facilities within 30 days of future data breaches and notify the FTC of the incidents, the agency said. Violations of the settlement could result in fines of $50,120 for each violation, the FTC said.
A security researcher notified Global Tel*Link of the breach on August 13, 2020, according to the FTC's complaint (PDF). This happened just after "the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data," the FTC said. The data was copied to an Amazon Web Services test environment to test a new version of a search software product. For about two days, the data was in the test environment and "accessible via the Internet without password protection or other access controls," the FTC said. After hearing from the security researcher, Global Tel*Link reconfigured the test environment to cut off public access. But a few weeks later, the firm was notified by an identity monitoring vendor that the data was available on the dark web. Global Tel*Link didn't notify any users until May 2021, and even then, it only notified a subset of them, according to the FTC. [...]
The complaint said that Global Tel*Link violated the Federal Trade Commission Act's section on unfair or deceptive acts or practices and charged the firm with unfair data security practices, unfair failure to notify affected consumers of the incident, misrepresentations regarding data security, misrepresentations to individual users regarding the incident, misrepresentations to individual users regarding notice, and deceptive representations to prison facilities regarding the incident. To settle the charges, the company agreed to new security protocols, including "'change management' measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores," the FTC said. Global Tel*Link also has to notify the affected users who were not previously notified of the breach and provide them with credit monitoring and identity protection products. The product must include $1,000,000 worth of identity theft insurance to cover costs related to identity theft or fraud. The company must also notify consumers and prison facilities within 30 days of future data breaches and notify the FTC of the incidents, the agency said. Violations of the settlement could result in fines of $50,120 for each violation, the FTC said.
Prisoners? In the USA? (Score:3, Interesting)
Do they even have any rights at all?
I mean, the constitutional changes that (finally) outlawed slavery have specific exceptions for prisoners to be enslaved... So really, the USA does still do slavery.
Re:Prisoners? In the USA? (Score:5, Informative)
Do they even have any rights at all?
I mean, the constitutional changes that (finally) outlawed slavery have specific exceptions for prisoners to be enslaved... So really, the USA does still do slavery.
I realize you are being facetious, but felons do indeed choose to give up some rights when they commit their crimes.
Nor is there any practical way around that. Somebody is going to have their rights removed; either wrongdoers or normals. The only question is which group.
Re: (Score:1)
Re: (Score:2)
This would be illegal in Germany.
Nobody is saying that the phone company in question should have leaked the information. I was merely explaining to Mr. Right that he had a few things wrong about his rights :p
Re: (Score:2)
Do you even know what is illegal in Germany?
To be fair most ACs don't know what it illegal in Germany either. Nearly every time someone says "this is illegal in Germany" here on Slashdot they are actually wrong, especially when answering as generically as you did just now.
Re: (Score:2)
Re: (Score:1)
Sounds like the old "Banned in Boston" meme has had great-grandchildren.
Re: (Score:1)
No one is posting for getting modded up. Or are you?
Re: (Score:1)
It is most certainly illegal most places on the world.
Only The United Fuckstates are ruled by a true mob.
Re: (Score:2)
I realize you are being facetious
Not facetious at all friend, that is the truth!
Re: (Score:3)
Do they even have any rights at all?
I mean, the constitutional changes that (finally) outlawed slavery have specific exceptions for prisoners to be enslaved... So really, the USA does still do slavery.
I realize you are being facetious, but felons do indeed choose to give up some rights when they commit their crimes.
Nor is there any practical way around that. Somebody is going to have their rights removed; either wrongdoers or normals. The only question is which group.
Slavery is wrong.
Just because someone commits a crime, doesn't mean that slavery is suddenly OK.
The USA is so fucked up that people can believe shit like this is just fine.
Re: (Score:2)
Ah. So you're saying that when Gateway computers were assembled by prisoners, those were all made by murderers and rapists?
Do you have a citation for that?
Re: (Score:2)
Slavery is wrong.
Just because someone commits a crime, doesn't mean that slavery is suddenly OK.
The USA is so fucked up that people can believe shit like this is just fine.
It's not actual slavery you idiot. You're getting all worked up by a troll. What the Constitution permits is for incarcerated prisoners to be subjected to forced/hard labor. Some people might consider that slavery. Most people, including myself don't. In fact, our most liberal state, California, permits forced labor.
Nobody here gives a fuck if you don't like it. Most people don't like being murdered / raped / robbed / beaten.. They aren't handing out forced labor to white-collar criminals. It's given to the real assholes. So stuff your indignation up your ass.
So, although you understand that murder is wrong, if someone commits a crime, does it become ok to murder them?
Re: (Score:2)
Slavery is wrong.
Just because someone commits a crime, doesn't mean that slavery is suddenly OK.
The USA is so fucked up that people can believe shit like this is just fine.
It's not actual slavery you idiot. You're getting all worked up by a troll. What the Constitution permits is for incarcerated prisoners to be subjected to forced/hard labor. Some people might consider that slavery. Most people, including myself don't. In fact, our most liberal state, California, permits forced labor.
Nobody here gives a fuck if you don't like it. Most people don't like being murdered / raped / robbed / beaten.. They aren't handing out forced labor to white-collar criminals. It's given to the real assholes. So stuff your indignation up your ass.
So, although you understand that murder is wrong, if someone commits a crime, does it become ok to murder them?
If you're asking, in a stupid-ass way, if I support the Death Penalty, you're goddamn right I do. If you MURDER someone, you have forfeited your right to live. T
Well you're just saying one crime deserves another and two wrongs make a right.
Re: (Score:3)
What rights specifically? I mean sure freedom of movement is gone. But where is it legally enumerated that prisoners are forced to use ludicrous phone companies that exist only to fuck over people that society itself do not want to defend?
While prisoners absolutely need to give up some rights (they are prisoners) at some point we also need to question why we accept that we blindly fuck them over at every turn.
Re: (Score:3)
Naturally felons lose freedom of movement and such, but the US removes far more rights than actually necessary. Apparently including the right to life and healthcare. Meanwhile, when wealthy people commit a crime, the place they go looks nicer than many law abiding lower income people have.
Re: (Score:3)
Poor people who write bad checks valued at thousands go to the bad prison, not club fed like the rich people who steal millions.
Poor people who get drunk and cause a traffic fatality get prison. Rich people who do that have 'affluenza' and get rehab.
Re: (Score:2)
President Trump committed rape.
So you're saying he's not actually free right now?
Re: (Score:2)
And if you have to use political leaning as a pejorative, you've conceded you really don't have any actual argument.
Re: (Score:1)
Normals get their rights removed all the time because it's easier to go after them than criminals.
Re: Prisoners? In the USA? (Score:1)
Re: (Score:2)
This comment should be modded up. ^
Amongst the random arguments, the point is being missed: the inmates are (rarely) the customers here. Mostly the people on the outside, paying for the calls, are the customers of GTL. So the free ppl are the ones getting screwed here. Not surprising, given how terrible GTL is (they recently change their name: ViaPath Technologies, so no more GTL, now it's VPT).
-bZj
Re: (Score:3)
13th Amendment, section 1:
Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.
Re: (Score:3, Informative)
13th Amendment, section 1:
Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.
Right, so slavery is still a form of punishment.
Re: (Score:2)
Wouldn't customer data include the people on the outside that they're calling?
Re: (Score:2)
Yes, it will.
Re: (Score:2)
That's the entire premise of the modern trend towards Big Data analysis, that people will know similar people, so that all you need to monitor is association and clusters, not individual activity.
If the correlations are, in fact, devoid of any actual meaning, then that entire methodology breaks down.
There's a lot of money invested in the idea that this approach actually works, enough that they will presume guilt by association to avoid looking very stupid.
Scumbag companies (Score:4, Insightful)
Re: (Score:3)
Re:Scumbag companies (Score:4, Insightful)
Re: (Score:1)
No, idea if it is true, but I read a story somewhere about a Judge (in USA obviously) who owns a prison!
Re: (Score:3)
No, a fine is too easy.
They should have their monopoly taken away - let any phone company run a prison payphone system.
That's what will change their system - threaten to let competition in. When the FCC threatened to do it, all the prison phone companies immediately filed lawsuits because they all knew what was at stake.
Re: (Score:3)
Their CXOs should be forced to use the company's "service" for their own phones for a few years.
Re: (Score:2)
The prisons love it because of legal kickbacks from the phone companies. See https://www.prisonphonejustice... [prisonphonejustice.org].
The US of Awesomness (Score:1)
Or is it the US of Awfullness?
You have a "prison phone company" ... seriously?
Seriously?
Seriously?
Seriously?
Re: (Score:2)
Prison Phone Companies? (Score:1)