FTC targets telecom provider for inmates after massive data breach

The Federal Trade Commission said Thursday that it wants to require a prison communications provider to improve its security practices and incident reporting policies after the company failed to protect sensitive information about “hundreds of thousands” of users and did not notify all victims of the breach.

The draft complaint and proposed order against Virginia-based Global Tel*Link Corp., which also does business at GTL and Viapath Technologies, won’t go into effect until the public is given an opportunity to comment and FTC commissioners make a final vote.

Global Tel*Link and two of its subsidiaries allegedly stored users’ unencrypted sensitive data in cloud services, and once it was breached didn’t tell some customers what had happened, the FTC said.

The company contracts with federal, state and local jails and prisons, offering phone and video calls and payment services to the incarcerated.

Global Tel*Link and its subsidiaries collect customers’ names, addresses, government identification numbers such as passport numbers or driver’s license numbers, Social Security numbers, and financial account information, the FTC said in a press release.

An FTC official highlighted that the incarcerated are a particularly vulnerable customer base because they have few options for talking with loved ones.

“When consumers have little or no choice about whether to use a business’s products or services, the business has an even greater responsibility to ensure that its practices don’t cause harm,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a prepared statement.

Global Tel*Link does not include contact information for a spokesperson on its website and had not posted a press release on the complaint by press time. ViaPath Technologies did not respond to an email seeking comment.

In its complaint the FTC noted that Global Tel*Link markets its data security practices as “the cornerstone of what we do” and says that it uses encryption so that users’ data will not end up in the “wrong hands.”

However, in August 2020 the FTC said Global Tel*Link did just the opposite in an effort to test new search software. The FTC alleges that during those tests the company and a third-party vendor “copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data.”

The data was stored in plain text, the FTC said, and the company did not use a firewall or software to alert it if security settings were changed, the FTC said.

The copied data included individuals’ full names, dates of birth, phone numbers, usernames or email addresses in combination with passwords, Social Security numbers, location information, grievance forms, and messages exchanged between incarcerated individuals and their loved ones, the FTC alleges.

After the breach the customers’ data could be easily accessed via the internet, a practice that could have continued indefinitely had a security researcher not alerted the company about the vulnerabilities.

A forensic analysis revealed that hackers did in fact access “billions of bytes of the exposed data,” the FTC said in its press release.

The FTC said that Global Tel*Link was alerted again about the data risks when an identity monitoring company told it that users’ sensitive data was available on the dark web.

But the FTC said Global Tel*Link failed to inform affected customers for about nine months, only contacting 45,000 users even though hundreds of thousands of additional users could have been impacted.

This nine-month delay did not give inmates the chance to protect themselves from identity theft by obtaining a credit freeze or taking other measures.

“The company also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach,” the FTC press release said.

The proposed order would require Global Tel*Link and two of its subsidiaries to stop misrepresenting their data security practices; create a new comprehensive data security program that would use “change management” measures to protect its systems from human error; implement multifactor authentication; notify customers and facilities of future data breaches within 30 days; and minimize the data it gathers and keeps, among other things.