AngelSense, an assistive technology company that provides location monitoring devices for people with disabilities, was spilling the personally identifiable information and precise location data of its users to the open internet, TechCrunch has learned.

The company secured the exposed server on Monday, more than a week after it was alerted to the data leak by researchers at security firm UpGuard.

UpGuard shared details of the exposure exclusively with TechCrunch after AngelSense resolved the lapse. UpGuard has since published a blog post on the incident. 

The New Jersey-based AngelSense provides GPS trackers and location monitoring to thousands of customers, according to its mobile app listing, and is touted by law enforcement and police departments across the United States.

According to UpGuard’s researchers, AngelSense left an internal database exposed to the internet without a password, allowing anyone to access the data inside using only a web browser and knowledge of the database’s public IP address. The database was storing real-time updating logs from an AngelSense system, which included the personal information of AngelSense customers, as well as technical logs about the company’s systems.

UpGuard said it found customers’ personal data, like names, postal addresses, and phone numbers in the exposed database. The researchers said they also found GPS coordinates of individuals being monitored — including associated health information about the tracked person, which included conditions like autism and dementia. The researchers also found email addresses, passwords, and authentication tokens for accessing customer accounts, as well as partial credit card information — all of which was visible in plaintext, UpGuard said. 

It’s not known exactly how long the database was exposed nor how many customers were affected. According to the database’s listing on Shodan, a search engine of internet-facing devices and systems, AngelSense’s exposed logging database was first spotted online on January 14, though it may have been exposed some time earlier.

AngelSense chief executive Doron Somer confirmed to TechCrunch that the company took the exposed server offline after initially identifying UpGuard’s first email as spam.

“It was only when UpGuard phoned us that the issue was raised to our attention,” Somer said. “Upon its discovery, we acted promptly to validate the information provided to us and to remedy the vulnerability.”

“We note that other than UpGuard, we have no information suggesting that any data on the logging system potentially was accessed. Nor do we have any evidence or indication that the data has been misused or is under threat of misuse,” Somer told TechCrunch, claiming that the data “was not sensitive personal information.” 

Somer would not say if the company has the technical means to determine if there was any access to the unprotected server prior to UpGuard’s discovery.

When asked if the company planned to notify affected customers and individuals whose data was exposed, Somer said the company was still investigating.

“If notice to regulators or persons is warranted, we will of course provide it,” Somer said.

Somer did not respond to a follow-up inquiry by press time.

Database exposures are often the result of misconfigurations caused by human error, rather than malicious intent, and have become an increasingly common occurrence in recent years. Similar security lapses of exposed databases have resulted in the spill of sensitive U.S. military emails, the real-time leak of text messages containing two-factor codes, and chat histories from AI chatbots.