Skip navigation
× You have 2 more free articles available this month. Subscribe today.

FTC Orders GTL/ViaPath to Help 650,000 Customers Whose Info Was Stolen, Posted on Dark Web

by Douglas Ankney

On February 24, 2024, the Federal Trade Commission (FTC) issued its final order requiring prison calling-service provider Global Tel*Link (GTL) “to change its security practices and offer free credit monitoring and identity protection” to some 650,000 customers whose personal information was stolen and made available on the dark web.

The order formalizes an agreement proposed in November 2023, after the firm known since 2022 as ViaPath Technologies and two subsidiaries—Telmate and Touchpay Holdings—“failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing.”

On August 13, 2020, Comparitech security researcher Bob Diachenko informed GTL that a security breach had occurred shortly after the firm and a third-party vendor “copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services” into a publicly available cloud computing platform “but failed to take adequate steps to protect the data,” according to the FTC’s complaint. The data copy was meant to test a new version of software on Amazon’s Web Services cloud platform. But for two days it was “accessible via the internet without password protection or other access controls,” the complaint noted.

The exposed data included text message metadata revealing prisoners’ full names, sex, birthdates, offenses and place of incarceration—even their GTL account balances. Also included were recipients’ full names, email and street addresses, phone numbers, driver’s license numbers and IP addresses. Upon notification, GTL “cut off public access,” the complaint allowed. However, the company was informed just a few weeks later that the data was available on the dark web, yet GTL officials inexcusably waited until May 2021 before notifying any users—and even then notified only 45,000, a fraction of those affected. “This nine-month delay,” the FTC complaint read, “harmed users who did not have an opportunity to take actions to protect themselves from identity theft.” Meanwhile GTL “also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach.”

The agreement requires GTL/ViaPath to “notify consumers and facilities within 30 days about future data breaches or security incidents that trigger any federal, state, or local breach reporting requirements,” as well as to notify the FTC within 10 days of making such a report. It’s unclear what prisoners are supposed to do during the first 29 days after their personal information is exposed, when they can legally be kept in the dark. As FTC Bureau of Consumer Protection Director Samuel Levine noted, “When consumers have little or no choice about whether to use a business’s products or services, the business has an even greater responsibility to ensure that its practices don’t cause harm.” But then so does FTC in regulating prison profiteers, yet it has set the bar for Viapath fairly low. See: In the Matter of Global Tel*Link Corp., FTC Complaint No. 212-3012 (2023).  

 

Additional sources: Ars Technica, Comparitech

As a digital subscriber to Prison Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login

Related legal case

In the Matter of Global Tel*Link Corp.