Angelsense Data Breach: Location & Personal Info Exposed

AngelSense Data Leak Exposes Vulnerable Users

AngelSense, a company specializing in assistive technology and providing location monitoring for individuals with disabilities, experienced a significant data breach. Personally identifiable information and precise location data belonging to its users was discovered to be accessible on the open internet, as reported by TechCrunch.

Server Secured After Delay

The exposed server was finally secured by the company on Monday. This action occurred over a week after security researchers at UpGuard initially alerted AngelSense to the data leak.

Details Shared with TechCrunch

UpGuard exclusively shared the specifics of the exposure with TechCrunch before publishing a detailed blog post outlining the incident. Their findings highlighted a critical security vulnerability.

AngelSense's Role in Public Safety

Based in New Jersey, AngelSense offers GPS trackers and location monitoring services to a large customer base. The company’s technology is actively recommended by law enforcement and police departments throughout the United States.

Unprotected Database Exposed

Researchers at UpGuard determined that AngelSense had left an internal database accessible on the internet without any password protection. This allowed unauthorized access to the data contained within, requiring only a web browser and the database’s public IP address.

Sensitive Data at Risk

The exposed database contained real-time logs from the AngelSense system. This included personal information of customers, alongside technical logs related to the company’s infrastructure.

UpGuard identified customers’ names, postal addresses, and phone numbers within the database. Critically, the researchers also discovered GPS coordinates of monitored individuals, coupled with associated health information, including diagnoses such as autism and dementia.

Furthermore, email addresses, passwords, authentication tokens for account access, and even partial credit card details were found in plaintext format.

Exposure Timeline and Impact

The exact duration of the database exposure and the total number of affected customers remain unknown. According to Shodan, a search engine for internet-connected devices, the exposed logging database was first detected online on January 14th, though it may have been vulnerable for a longer period.

Company Response and Initial Dismissal

AngelSense chief executive Doron Somer confirmed to TechCrunch that the company took the server offline after initially dismissing UpGuard’s first email as spam.

“The issue was brought to our attention only when UpGuard contacted us by phone,” Somer stated. “We promptly validated the information and addressed the vulnerability upon discovery.”

Claims of Limited Access and Data Sensitivity

Somer asserted that, aside from UpGuard, there is no evidence suggesting any other unauthorized access to the data. He also claimed there is no indication of misuse or potential threat. He further stated the exposed data “was not sensitive personal information.”

Lack of Access Logs and Investigation

Somer declined to comment on whether the company possesses the technical capabilities to determine if any access occurred before UpGuard’s notification.

Customer Notification Under Review

When questioned about notifying affected customers and individuals whose data was exposed, Somer indicated that the company was still conducting an investigation.

“We will provide notice to regulators or individuals if it is deemed necessary,” Somer said.

No Further Response

Somer did not respond to a subsequent inquiry before publication.

Common Cause of Database Exposures

Database exposures are frequently the result of misconfigurations stemming from human error, rather than malicious attacks. These incidents have become increasingly prevalent in recent years.

Similar security lapses have previously led to the exposure of sensitive U.S. military emails, the real-time leakage of text messages containing two-factor authentication codes, and chat logs from artificial intelligence chatbots.