Telmate, a US-based telecom company that provides services to U.S. prisoners, exposes millions of messages between Inmates and their friends and families
Another day another leak. Telmate, a U.S. based telecom company offering monitored mobile/telephone services to prisons and correction facilities in the United States has unwittingly leaked a large database containing tens of millions of call logs, private messages, and personal information about inmates and their contacts.
The data leak was noticed by Bob Diachenko, a security researcher with Comparitech. Diachenko, who has been at the forefront of researching leaked databases, discovered the Telmate unsecured database on August 13 and immediately reported it to Global Tel Link, which owns Telmate. The leak was plugged immediately after Diachenko informed the company.
Comparitech says that the Telmate database was left exposed long enough for hackers and cybercriminals to access. Comparitech’s Paul Bischoff says that “it’s possible that other unauthorized parties accessed it prior to Diachenko’s disclosure.”
Diachenko notes that the database exposed prisoners confidential information from all facilities that Global Tel Link operates in. Since GTL is the largest provider of prison telephone services, commanding about half of the US market, the leak is massive and could affect thousands of prisoners, their families, friends, and contacts.
The exposed database is made up of prisoners record collected from prison-issued tablets running Telmate’s GettingOut service. The database contained three indexes, including 227,770,157 message records, 11,210,948 inmate records, and 78,885 administrative records containing login details for the Telmate dashboard.
“The login details for Telmate’s dashboard are used by personnel at prisons and jails to access call and message logs,” Bischoff explains. “Their exposure could give hackers the means to break into those systems and steal call recordings or other data.”
The database includes private conversations between inmates and their friends and families and prisoners’ full name, offense, facility, and account balance. Call and message recipients’ details recorded in the database contained the full name, email address, phone number, street address and driver’s license number.
Diachenko had earlier in the week discovered an Amazon S3 bucket exposing driving licenses of Australians staying in New South Wales.