- A GTL-owned inmate communications platform has exposed a large set of personal data.
- The information that was left exposed online compromises both prisoners and their outside contacts.
- The owner’s response was immediate, but someone may have had the time to access and exfiltrate the database.
The “Telmate” platform that specializes in inmate communications has exposed the personal details of millions of prisoners, as well as their outside contacts. In most cases, that would be friends and family, but the situation is far more complicated for some inmates.
The exposure came through an unprotected database that was discovered by Bob Diachenko on August 13, 2020, while the owner of Telmate, Global Tel Link, responded to the researcher’s alert in just a couple of hours. While the securing of the database came quickly, the total exposure period remains unknown.
The following information was found in the millions of records contained in three individual indexes:
- Text message contents
- Timestamps
- Inmate DoB, Facility ID, Full Name, and Sex
- Recipient full name, email address, street address, IP address, and driver’s license number
- Prisoner full name, offense, facility, and account balance
- Call details like duration and times, but not actual recordings
- Administrative records containing login details for the Telmate dashboard
- Grievances filed by inmates requesting transfers, education, legal assistance, clothing, etc.
So, this data leak affects inmates, their contacts, and also Telmate administrators. This triple trouble translates to a wide range of potential exploitation, risks, dangers, etc. From scammers to people looking for retaliation, anyone could use the above details to attack the exposed individuals.
Also, family members and friends could become subject to harassment or even discrimination. Of course, phishing attacks are also included in the sphere of possibilities, as there’s a rich set of data that can be combined to create convincing social engineering settings.
Global Tel Link is a US-based firm that owns and develops Telmate. Telmate, in turn, develops and operates “GettingOut” and “Guardian.” The first one is an internet-based app that enables inmates to create and send media messages to the world outside, as well as to receive messages. Guardian is an app that monitors the location of inmates who are out on parole.
As Diachenko clarifies, there are no data from these two platforms in the exposed database, so the incident hasn’t affected Guardian or GettingOut data.
GTL has already had legal trouble with the allegedly exploitative manner they decided what to charge inmates and their families for communications, so this data exposure may bring additional lawsuits and demands for compensation. In any case, they mishandled very sensitive data, and the implications from this occurrence are dire.