AngelSense, a New Jersey-based assistive technology company, inadvertently left an internal database exposed to the internet without a password. The database contained sensitive customer information, including real-time logs, names, postal addresses, phone numbers, email addresses, and partial credit card details. This mishap was first identified on January 14 by Shodan, a search engine that indexes internet-facing devices and systems. On the same day, UpGuard, a prominent security firm, alerted AngelSense to the data exposure.
The unprotected database posed a significant risk as it stored not only personal customer information but also technical logs about AngelSense's systems. Additionally, email addresses, passwords, and authentication tokens used for accessing customer accounts were visible without encryption. Despite being alerted to the potential security threat, AngelSense took over a week to secure the exposed server.
AngelSense provides GPS trackers and location monitoring services to thousands of customers and is endorsed by law enforcement agencies across the United States. The company's chief executive, Doron Somer, addressed the situation by confirming that the exposure was due to a human error during system configuration. He assured that the exposed server was taken offline after initially mistaking UpGuard's warning for spam.
“We note that other than UpGuard, we have no information suggesting that any data on the logging system potentially was accessed. Nor do we have any evidence or indication that the data has been misused or is under threat of misuse,” – Somer
While AngelSense claimed that the exposed data did not constitute sensitive personal information, the incident raised concerns about the company's data security practices. UpGuard published a detailed blog post regarding the incident once AngelSense addressed the lapse, highlighting the growing issue of database exposures in recent years.
AngelSense has stated its intention to notify regulators or affected individuals if further investigation warrants such action.
“If notice to regulators or persons is warranted, we will of course provide it,” – Somer
This incident underscores the importance of robust data protection measures and vigilance in securing sensitive customer information. As database exposures become increasingly common, companies must prioritize cybersecurity to prevent unauthorized access and potential misuse of personal data.
Leave a Reply