On 16 November 2023, the Federal Trade Commission (FTC) issued a decision against Tel*Link Corp. (GTL) and its subsidiaries, Telmate LLC and TouchPay Holdings LLC, concerning data breach. The FTC found that the companies failed to implement adequate security measures to protect users' personal information while having copied sensitive unencrypted data of 649'500 users into the cloud for testing purposes. The actions allowed malicious users to gain access to the personal information stored in the cloud. Despite alleged knowledge of these security vulnerabilities, GTL only informed affected customers about the data breach after nine months, contacting only 45'000 of the affected users. The FTC has ordered GTL and its subsidiaries to disclose their data security practices and implement a comprehensive data security program. The requirements for GTL include the implementation of change management measures, multi-factor authentication, and processes to reduce the amount of data stored. In addition, GTL and its subsidiaries must notify affected users of data breaches, provide them with credit monitoring and identity protection products, report future data breaches or security incidents to the FTC within 30 days and notify the FTC of such incidents within 10 days.
Original source