Telmate, a company that facilitates monitored inmate communications with the outside world, has exposed a large database containing tens of millions of call logs, private messages, and personal information about inmates and their contacts.
Bob Diachenko, a security researcher with Comparitech, discovered the unsecured database on August 13 and immediately reported it to Global Tel Link, which owns Telmate.
The company secured the database in less than three hours but, according to Comparitech’s Paul Bischoff, “it’s possible that other unauthorized parties accessed it prior to Diachenko’s disclosure.” Bischoff’s theory apparently more than holds water. Databreaches.net claims “it definitely happened, as [it] had been contacted about this leak prior to Diachenko’s discovery.”
Comparitech notes that, based on samples of the data, the exposure likely impacts prisoners in facilities everywhere that GTL operates. Since GTL is the largest provider of prison telephone services, commanding about half of the US market, the leak is massive, to say the least.
Many of the records seem to be collected from prison-issued tablets running Telmate’s GettingOut service. The database contained three indexes, including 227,770,157 message records, 11,210,948 inmate records, and 78,885 administrative records containing login details for the Telmate dashboard.
“The login details for Telmate’s dashboard are used by personnel at prisons and jails to access call and message logs,” Bischoff explains. “Their exposure could give hackers the means to break into those systems and steal call recordings or other data.”
The leak includes conversations between inmates and their friends and families. Leaked prisoner records include full name, offense, facility and account balance. Call and message recipients’ details recorded in the database contained full name, email address, phone number, street address and driver’s license number. Anyone who had access to the data prior to Diachenko’s discovery could use it in phishing scams and fraud, or even for harassment.
GTL made the following statement following Diachenko’s discovery:
“Telmate, a GTL subsidiary immediately locked down the server as a precaution upon being made aware of a vulnerability in the data system due to the actions of one of our vendors. This vulnerability was swiftly corrected, the data security team was immediately supplemented with the assistance of third-party consultants and we continue to work closely with law enforcement authorities as we conduct further inquiry into this incident. Based on the current facts of the investigation, no medical data, passwords, or consumer payment information were affected. We continue to speak with and notify necessary parties, including the affected Telmate customers – a small subset of all GTL customers – about the incident and the actions we have taken to safeguard data.”