[ad_1]
Incident and breach response, security operations
New reporting measures impact prison communications providers after data breach
Chris Liotta (@Chris Liotta) •
February 23, 2024
The Federal Trade Commission has finalized new requirements for prison communications providers that failed to notify hundreds of thousands of users that their sensitive data had been compromised in a massive data breach.
Related item: User entity and behavior analysis 101: Strategies for detecting anomalous security behavior
Under the order announced Friday, Global Tel*Link Corp. and its two subsidiaries must implement comprehensive data security programs and notify users of any future breaches. According to the FTC, prison communications providers must implement multi-factor authentication and implement change control measures across their systems “to reduce the risk of human error.”
The commission voted 3-0 in November after receiving complaints about Global Tel*Link, alleging that the company and its subsidiaries failed to protect sensitive personal information belonging to hundreds of thousands of users in U.S. prisons. The order was finalized. Global Tel*Link said he was testing new search software in August 2020, when the company and a third-party vendor copied unencrypted sensitive data about approximately 650,000 users. The information was stored in the cloud in plain text.
The company rebranded to ViaPath Technologies in January 2022.
The FTC announced in November that the data, including Social Security numbers, names, and other sensitive information, was “accessible over the Internet without any safeguards.” According to forensic analysis, the hackers accessed billions of bytes of exposed data before security researchers finally notified Global Tel*Link about it.
FTC Consumer Protection Director Samuel Levine said in a statement that the commission is committed to protecting the privacy rights of “all consumers, including incarcerated consumers and their loved ones.”
“When consumers have little or no choice about whether to use a company’s products or services, companies have a greater responsibility to ensure that their actions do no harm,” Levine said. .
Global Tel*Link waited nearly nine months to contact consumers affected by the breach, but only alerted 45,000 users that their data may have been compromised. Under the new order, the company must alert users it previously failed to notify and provide credit monitoring and privacy solutions to all affected users.
The company would also be required to notify consumers and establishments of any future breaches or security incidents within 30 days, and to notify the FTC within 10 days of reporting a security incident to authorities.
Global Tel*Link also changed its data security practices after the commission found that the company “advertised its security practices by claiming that data security was ‘foundational to what we do.'” Misrepresentation is also prohibited.
[ad_2]
Source link
