AngelSense, a company specializing in assistive technology that offers location tracking devices for individuals with disabilities, has reportedly been leaking personally identifiable information and precise geographic data about its users onto the open internet, as revealed by TechCrunch.
The firm secured the vulnerable server on Monday, over a week after security researchers at UpGuard first notified them of the data breach.
UpGuard provided exclusive details of the breach to TechCrunch after AngelSense rectified the situation. The security firm has since released a blog post discussing the incident.
Based in New Jersey, AngelSense serves thousands of clients with GPS tracking and location services, as indicated by their mobile app listing. The service is recognized by various law enforcement agencies across the U.S.
According to UpGuard’s analysis, AngelSense left an internal database accessible on the internet without password protection, permitting anyone to retrieve the data using just a web browser and knowledge of the database’s public IP address. This database contained real-time log updates from the AngelSense systems, which encompassed personal details of customers, alongside technical logs about the company’s operations.
UpGuard discovered that the exposed database contained sensitive personal information, including names, addresses, and phone numbers. The researchers also identified GPS coordinates of individuals under surveillance, along with relevant health information, noting conditions such as autism and dementia. Furthermore, the database included email addresses, passwords, and authentication tokens for customer accounts, as well as partial credit card details, all displayed in plaintext format, according to UpGuard.
The duration of the database’s exposure and the total number of affected clients remain unknown. Information from the database’s listing on Shodan, a search engine for internet-connected devices, indicates that the exposed logging database was initially detected online on January 14, although it could have been available for some time prior.
Doron Somer, CEO of AngelSense, confirmed to TechCrunch that the company acted to take down the exposed server after mistakenly identifying UpGuard’s initial email as spam.
“It was only after UpGuard called us that we recognized the issue,” Somer stated. “Once it was brought to our attention, we promptly validated the information shared and worked to resolve the vulnerability.”
“We have no information, aside from what UpGuard provided, that indicates any data from the logging system was accessed. Furthermore, we have not found evidence suggesting that the data has been misused or is at risk of being misused,” Somer stated, asserting that the exposed data was “not sensitive personal information.”
Somer did not clarify whether the company had the technical capabilities to determine if there had been any unauthorized access to the unsecured server before UpGuard’s discovery.
When asked about plans to inform affected customers and individuals whose data may have been compromised, Somer mentioned that the investigation is still ongoing.
“If it becomes necessary to notify regulators or individuals, we will certainly do so,” Somer informed.
Somer did not respond to a follow-up inquiry by the time of this report.
Database breaches often result from misconfigurations due to human error rather than deliberate malicious actions, and such incidents have become increasingly prevalent in recent years. Similar security oversights have led to the exposure of sensitive U.S. military emails, real-time leaks of two-factor authentication codes, and chat histories from AI dialogue systems.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
