Angelsense, a assisted technological company that provides location monitoring devices for people with disabilities, was paying personal identification information and precise position data of its open internet users, Techcrunch has learned.
The company obtained the server on Monday, more than a week after it was notified of the loss of data by the researchers of the Upguard security company.
Upguard shared the details of the exhibition exclusively with Techcrunch after Angelsense resolved the interval. Since then Upguard has published a blog post on the accident.
Angelsense based in New Jersey provides GPS trackers and position monitoring to thousands of customers, according to its list of mobile apps, and is propagated by the police and police departments in the United States.
According to Upgard researchers, Angelsense left an internal internet database without password, allowing anyone to access data inside using only a web browser and knowledge of the public IP address of the database. The database was archiving the refresher registers in real time by an Angelsense system, which included the personal information of Angelsense customers, as well as technical registers on the company’s systems.
Upguard said he had found customers’ personal data, such as names, postal addresses and telephone numbers in the exposed database. The researchers said they had also found GPS coordinates of monitored people, including associated health information on the monitored person, who included conditions such as autism and dementia. The researchers also found addresses and -mail, passwords and authentication tokens for access to customers’ accounts, as well as partial credit card information, all visible in clear, said Upgard.
The database has not been exposed for how long the databases have been affected. According to the list of the database on Shodan, a search engine of devices and systems aimed at the Internet, the exposed registration database of Angelsense was identified for the first time online on January 14, although it may have been exhibited some time before.
The CEO of Angelsense Doron Somer confirmed to Techcrunch that the company took offline the server exposed after initially identifying the first and -mail of Upgard as Spam.
“It was only when Upguard phoned us that the problem was raised to our attention,” Somer said. “To his discovery, we acted promptly to validate the information provided and to remedy vulnerability.”
“We note that in addition to Upgard, we have no information that suggests that it was possible to access any data on the registration system. Nor do we have evidence or indications that the data have been used improperly or are threatened with improper use, “Somer said to Techcrunch, claiming that the data” were not sensitive personal information “.
Somer would not say if the company has the technical means to determine if there was access to the unprotected server before the UpGuard discovery.
To the question if the company had planned to notify customers and individuals concerned whose data were exhibited, Somer said that the company was still investigating.
“If a notice is guaranteed to regulators or people, we will obviously provide it,” Somer said.
Somer did not respond to a follow-up investigation at the time of the press.
Database exhibitions are often the result of incorrect configurations caused by human error, rather than harmful intentions, and have become an increasingly common event in recent years. Similar drops in exposed databases led to the escape of sensitive US military e-mails, the real time loss of text messages containing two factors and chat stories from chatbot AI.
