AngelSense, a prominent assistive technology provider specializing in GPS tracking for individuals with disabilities, suffered a major security breach that exposed sensitive user data and real-time location logs to the open internet. The vulnerability was identified by security researchers at UpGuard, who discovered an internal database accessible to anyone with a web browser and the server’s public IP address.
The Scope of the Exposure
The exposed database contained a wealth of highly sensitive information belonging to thousands of customers who rely on the company’s monitoring services. According to UpGuard’s investigation, the compromised data included:
- Full names, postal addresses, and contact phone numbers.
- Real-time GPS coordinates of individuals currently being tracked.
- Medical information, including diagnoses such as autism and dementia.
- Account credentials, including email addresses, passwords, and authentication tokens.
- Partial credit card information stored in plaintext.
Timeline and Discovery
The security lapse was first detected on January 14 via Shodan, a search engine for internet-connected devices. However, the exact duration of the exposure remains unknown. AngelSense, based in New Jersey, only secured the server this past Monday—more than a week after the initial notification from UpGuard.
AngelSense CEO Doron Somer admitted that the company initially dismissed the warning emails from security researchers as spam. “It was only when UpGuard phoned us that the issue was raised to our attention,” Somer stated. He claimed that the company acted promptly once the vulnerability was verified.
Company Response and Accountability
Despite the nature of the leaked data, Somer disputed the severity of the incident, asserting that the information “was not sensitive personal information.” He further claimed that the company has no evidence of unauthorized access beyond the researchers at UpGuard or any misuse of the data.
When pressed on whether the company could technically verify if other parties had accessed the unprotected server prior to the discovery, Somer declined to comment. Furthermore, the company has yet to confirm whether it will notify the affected customers, stating that an internal investigation is still underway to determine if such notification is “warranted.”
A Growing Security Trend
This incident highlights a recurring pattern of misconfigured databases left unsecured due to human error. Similar lapses have recently compromised diverse sectors, including U.S. military communications, two-factor authentication codes, and private AI chatbot histories. As AngelSense’s mobile app continues to be marketed to law enforcement and families, the incident raises critical questions regarding the data protection standards for companies handling the most vulnerable populations.