AngelSense, a company that provides location monitoring devices for people with disabilities, has been found to have exposed the personally identifiable information and precise location data of its users to the open internet. The company secured the exposed server on Monday, more than a week after it was alerted to the data leak by researchers at security firm UpGuard.

The New Jersey-based AngelSense provides GPS trackers and location monitoring to thousands of customers, according to its mobile app listing, and is touted by law enforcement and police departments across the United States. However, the company's failure to secure its internal database has put the sensitive information of its users at risk.

According to UpGuard's researchers, AngelSense left an internal database exposed to the internet without a password, allowing anyone to access the data inside using only a web browser and knowledge of the database's public IP address. The database was storing real-time updating logs from an AngelSense system, which included the personal information of AngelSense customers, as well as technical logs about the company's systems.

The exposed data included customers' personal information, such as names, postal addresses, and phone numbers, as well as GPS coordinates of individuals being monitored. The researchers also found associated health information about the tracked person, including conditions like autism and dementia. Furthermore, email addresses, passwords, and authentication tokens for accessing customer accounts, as well as partial credit card information, were all visible in plaintext.

It is currently unknown exactly how long the database was exposed or how many customers were affected. According to the database's listing on Shodan, a search engine of internet-facing devices and systems, AngelSense's exposed logging database was first spotted online on January 14, although it may have been exposed some time earlier.

AngelSense chief executive Doron Somer confirmed to TechCrunch that the company took the exposed server offline after initially identifying UpGuard's first email as spam. "It was only when UpGuard phoned us that the issue was raised to our attention," Somer said. "Upon its discovery, we acted promptly to validate the information provided to us and to remedy the vulnerability."

Somer claimed that the data exposed was "not sensitive personal information," and stated that the company has no information suggesting that any data on the logging system was accessed or misused. However, when asked if the company has the technical means to determine if there was any access to the unprotected server prior to UpGuard's discovery, Somer would not provide an answer.

The company is still investigating whether to notify affected customers and individuals whose data was exposed. "If notice to regulators or persons is warranted, we will of course provide it," Somer said. However, Somer did not respond to a follow-up inquiry by press time, leaving many questions unanswered.

This incident highlights the importance of proper database security and the potential consequences of misconfigurations caused by human error. Similar security lapses of exposed databases have resulted in the spill of sensitive U.S. military emails, the real-time leak of text messages containing two-factor codes, and chat histories from AI chatbots. As the use of assistive technology continues to grow, it is crucial that companies prioritize the security and privacy of their users' sensitive information.

The incident also raises questions about the accountability of companies that handle sensitive user data. While AngelSense has taken steps to remedy the vulnerability, the company's response to the incident has been criticized for being inadequate. The lack of transparency and communication with affected customers and individuals is a concern, and it remains to be seen how the company will address these issues in the future.