{"id":43117,"date":"2023-11-16T10:41:17","date_gmt":"2023-11-16T15:41:17","guid":{"rendered":"https:\/\/d56fg8tfg.fitnews.club\/finance\/ftc-takes-action-against-global-tellink-corp-for-failing-to-adequately-secure-data-notify-consumers-after-their-personal-data-was-breached\/"},"modified":"2023-11-16T10:41:17","modified_gmt":"2023-11-16T15:41:17","slug":"ftc-takes-action-against-global-tellink-corp-for-failing-to-adequately-secure-data-notify-consumers-after-their-personal-data-was-breached","status":"publish","type":"post","link":"https:\/\/d56fg8tfg.fitnews.club\/finance\/ftc-takes-action-against-global-tellink-corp-for-failing-to-adequately-secure-data-notify-consumers-after-their-personal-data-was-breached\/","title":{"rendered":"FTC Takes Action Against Global Tel*Link Corp. for Failing to Adequately Secure Data, Notify Consumers After Their Personal Data Was Breached"},"content":{"rendered":"
\n

The Federal Trade Commission will require prison communications provider Global Tel*Link Corp. and two of its subsidiaries to notify consumers of any future data breaches as part of a proposed settlement over charges they failed to secure sensitive data of hundreds of thousands of users stored in a cloud environment and failed to alert all those affected by the incident.<\/p>\n

In a complaint<\/a>, the FTC says that Falls Church, Va.,-based Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing.<\/p>\n

\u201cThe FTC is committed to protecting the rights to privacy and security of personal information for all consumers, including incarcerated consumers and their loved ones,\u201d said Samuel Levine, Director of the FTC\u2019s Bureau of Consumer Protection. \u201cWhen consumers have little or no choice about whether to use a business\u2019s products or services, the business has an even greater responsibility to ensure that its practices don\u2019t cause harm.\u201d<\/p>\n

Global Tel*Link, which also does business as GTL and ViaPath Technologies, contracts with federal, state, and local jails, prisons, and similar institutions to provide communications services such as phone and video calls and payment services for incarcerated individuals. In the course of providing their services, Global Tel*Link and its subsidiaries collect personal information from consumers including their names, addresses, government identification numbers such as passport numbers or driver\u2019s license numbers, Social Security numbers, and financial account information.<\/p>\n

In marketing and other materials, Global Tel*Link touted its security practices by claiming that data security is \u201cthe cornerstone of what we do\u201d and that it implemented a security architecture that included many safeguards such as encryption to ensure that its users\u2019 data would not fall into the \u201cwrong hands.\u201d<\/p>\n

The FTC says, however, that Global Tel*Link, failed to live up to these claims. In August 2020, as part of an effort to test new search software, the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data. For example, Global Tel*Link stored the data in plain text and failed to deploy a firewall to protect the copied data, implement monitoring software that would have alerted the company if the security settings were changed, and inventory and track the consumer information uploaded to the copied data, according to the complaint. The copied data included individuals\u2019 full names, dates of birth, phone numbers, usernames or email addresses in combination with passwords, Social Security numbers, location information, grievance forms, which can include very sensitive information, and messages exchanged between incarcerated individuals and their friends and family.<\/p>\n

As a result of changes made by the company\u2019s third-party vendor to the security settings for the data stored in the cloud, the personal data of many Global Tel*Link customers was left accessible via the internet without any safeguards to prevent unauthorized people from accessing and removing data from the test site\u2014until a security researcher alerted the company about the security holes. A forensic analysis showed that a handful of hackers accessed billions of bytes of the exposed data. In early September, Global Tel*Link was notified again by an identity monitoring company that personal data belonging to Global Tel*Link users was available on the dark web, which is a collection of websites that are used to buy and sell illegally obtained personal data for fraud, identity theft and other nefarious purposes.<\/p>\n

Despite this, Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users\u2014even though the breach may have affected hundreds of thousands of additional customers\u2014that their personal data may have been compromised as a result of the data breach. This nine-month delay harmed users who did not have an opportunity to take actions to protect themselves from identity theft by implementing a credit freeze or other measures, according to the complaint. The company also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach.<\/p>\n

As part of the proposed order<\/a> <\/b>with the FTC, Global Tel*Link and two of its subsidiaries are prohibited from misrepresenting their data security practices and will be required, among other things, to:<\/p>\n