FTC Takes Action Against Global Tel*Link Corp. for Failing to Adequately Secure Data, Notify Consumers After Their Personal Data Was Breached

Share This Post

The Federal Trade Commission will require prison communications provider Global Tel*Link Corp. and two of its subsidiaries to notify consumers of any future data breaches as part of a proposed settlement over charges they failed to secure sensitive data of hundreds of thousands of users stored in a cloud environment and failed to alert all those affected by the incident.

In a complaint, the FTC says that Falls Church, Va.,-based Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing.

“The FTC is committed to protecting the rights to privacy and security of personal information for all consumers, including incarcerated consumers and their loved ones,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “When consumers have little or no choice about whether to use a business’s products or services, the business has an even greater responsibility to ensure that its practices don’t cause harm.”

Global Tel*Link, which also does business as GTL and ViaPath Technologies, contracts with federal, state, and local jails, prisons, and similar institutions to provide communications services such as phone and video calls and payment services for incarcerated individuals. In the course of providing their services, Global Tel*Link and its subsidiaries collect personal information from consumers including their names, addresses, government identification numbers such as passport numbers or driver’s license numbers, Social Security numbers, and financial account information.

In marketing and other materials, Global Tel*Link touted its security practices by claiming that data security is “the cornerstone of what we do” and that it implemented a security architecture that included many safeguards such as encryption to ensure that its users’ data would not fall into the “wrong hands.”

The FTC says, however, that Global Tel*Link, failed to live up to these claims. In August 2020, as part of an effort to test new search software, the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data. For example, Global Tel*Link stored the data in plain text and failed to deploy a firewall to protect the copied data, implement monitoring software that would have alerted the company if the security settings were changed, and inventory and track the consumer information uploaded to the copied data, according to the complaint. The copied data included individuals’ full names, dates of birth, phone numbers, usernames or email addresses in combination with passwords, Social Security numbers, location information, grievance forms, which can include very sensitive information, and messages exchanged between incarcerated individuals and their friends and family.

As a result of changes made by the company’s third-party vendor to the security settings for the data stored in the cloud, the personal data of many Global Tel*Link customers was left accessible via the internet without any safeguards to prevent unauthorized people from accessing and removing data from the test site—until a security researcher alerted the company about the security holes. A forensic analysis showed that a handful of hackers accessed billions of bytes of the exposed data. In early September, Global Tel*Link was notified again by an identity monitoring company that personal data belonging to Global Tel*Link users was available on the dark web, which is a collection of websites that are used to buy and sell illegally obtained personal data for fraud, identity theft and other nefarious purposes.

Despite this, Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach. This nine-month delay harmed users who did not have an opportunity to take actions to protect themselves from identity theft by implementing a credit freeze or other measures, according to the complaint. The company also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach.

As part of the proposed order with the FTC, Global Tel*Link and two of its subsidiaries are prohibited from misrepresenting their data security practices and will be required, among other things, to:

  • implement a comprehensive data security program that includes several requirements such as the deployment of “change management” measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores;
  • notify users of its products affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products;
  • notify consumers and facilities within 30 days about future data breaches or security incidents that trigger any federal, state, or local breach reporting requirements and provide information about what data was impacted and how many consumers were affected; and
  • notify the FTC within 10 days of reporting a security incident to any local, state or federal authorities.

The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement with the company.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120. 

The lead attorneys on this matter are Robin Wetherill and Manmeet Dhindsa.

Official news published at https://www.ftc.gov/news-events/news/press-releases/2023/11/ftc-takes-action-against-global-tellink-corp-failing-adequately-secure-data-notify-consumers-after

Related Posts

VIP Minds CEO and Visionary Nora Abou Chakra Launches ‘Power Hearts,’ a Transformative Initiative Driving Social Change

CEOs revolutionizing philanthropy through inspiring charitable actions

Today marks the launch of "Power Hearts," an innovative initiative led by businesswoman and visionary Nora Abou Chakra. With each endeavor, Power Hearts embarks on a different mission, empowering CEOs to take direct action and make a tangible impact. Through immersive experiences and hands-on involvement, Power Hearts addresses pressing societal issues, fostering empathy and inspiring CEOs to become advocates for change within their organizations and communities.

Nora Abou Chakra, a respected entrepreneur known for her philanthropic endeavors, has once again demonstrated her commitment to driving social change with the launch of Power Hearts. Under this empowering initiative, CEOs from diverse industries come together to tackle pressing issues and create transformative solutions.

An example of these missions is hunger. Power Hearts combats hunger and alleviate the suffering of those affected by it. CEOs gather in a large-scale communal kitchen, where they actively participate in purchasing groceries and cooking meals for those in need.

The immersive experience provided by Power Hearts goes beyond the kitchen. CEOs physically hit the streets, personally distributing the freshly prepared meals to individuals experiencing hunger. This direct interaction with those in need further deepens their understanding of the issue, sparking a profound connection and a sense of shared humanity.

CEOs return to their organizations with a renewed perspective and a profound commitment to addressing the issue of hunger. They become ambassadors for change, leveraging their influence and resources to advocate for hunger relief initiatives within their respective communities and among their staff members.

Nora Abou Chakra, the driving force behind Power Hearts, expressed her enthusiasm for the initiative, stating, "Power Hearts aims to create a ripple effect of compassion and advocacy. By immersing CEOs in the realities of pressing social issues, we ignite a powerful drive for change that reverberates throughout their personal and professional spheres. Together, we can make a significant difference and create a more compassionate and equitable world."

Power Hearts represents Nora Abou Chakra's unwavering commitment to leveraging the influence and resources of business leaders for the greater good. By providing CEOs with transformative experiences, Power Hearts empowers them to become catalysts for change and advocates for social causes that resonate with their hearts.

For more information about Power Hearts and its upcoming initiatives, please visit powerhearts.com or follow us on @power.hearts

Contact Information:
Stephanie Khalil
Executive Assistant to CEO

Original Source: VIP Minds CEO and Visionary Nora Abou Chakra Launches 'Power Hearts,' a Transformative Initiative Driving Social Change

NAACP Excellence in Teaching Award Winner Andee Nunn Releases Memoir, ‘Magic in Room 216’, on Cyber Monday

Profound Education and Inspirational Life Journey Enshrines Era of Inclusion DANBURY, Conn., November 27, 2023 (New...
green agriculture project
- Part of VUGA Media group -best seo company