Mikael Thalen reports:
A company that sells spyware that monitors individuals on parole and probation had its data leaked to a cybercrime forum this week. The leak, according to an analysis by Straight Arrow News, exposed highly sensitive information regarding employees of the corrections system and those under court-ordered supervision.
The affected company, RemoteCOM, describes itself as “the premier computer, smartphone and tablet monitoring service for the management of pretrial, probation and parole clients.” The data indicates that RemoteCOM’s services are used by parole and probation officers in 49 states.
A training manual in the leaked data for RemoteCOM’s software, known as SCOUT, says the spyware can be used to track everyone from sex offenders, sex traffickers and stalkers to terrorists, hackers and gang members.
In terms of the types of information involved in the leak, SANS reported:
A file titled “officers” in the leak contains 6,896 entries for people who work in the criminal-justice system and who currently or have previously used RemoteCOM’s services. Each entry shows the person’s name, phone number, work address, email addresses, unique ID and job title.
Another file titled “clients” contains identifying information on nearly 14,000 individuals who have been monitored by SCOUT. The offenders’ names, email addresses, IP addresses, home addresses and phone numbers are listed next to the names and email addresses of their probation officers.
Read more at SAN.
RemoteCom told SAN that they were investigating.
Attempts to contact them today, however, revealed that connections to their site were timing out, so they may have taken it offline while they investigate. DataBreaches chatted with Thalen yesterday afternoon and asked whether he had attempted to verify the data in the leak. Thalen informed DataBreaches that he had called the phone number of a person charged with terrorism. “His sister picked up, confirmed her brother had previously had remotecom on his phone etc.,” Thalen told DataBreaches.
This post was corrected post-publication due to an error in the name of the source site.
Update: DataBreaches was subsequently able to reach RemoteCom via email. They provided the following statement:
We recently identified unauthorized access to one of our servers, affecting contact information only. No financial data or government IDs were involved. The issue has been secured, and we will be working with law enforcement and the FBI. Protecting client information is our top priority.
But when DataBreaches followed up by asking them if they will be notifying the individuals who were being monitored and/or their relatives whose personal information was leaked, they did not reply.
In response to this site’s post, someone who was being monitored by RemoteCom sent this site a copy of an email he had sent to RemoteCom Support in February of this year:
I am reaching out to formally request clarification regarding the usage requirements and data security policies associated with Remote-Com.net, which has been installed on my devices as part of my probation monitoring.
Specifically, I seek written confirmation on the following:
- Device Usage Duration – There is no clear policy stating how many days I am required to actively use a monitored device. Please provide explicit guidelines or contractual terms outlining any mandatory usage periods.
- Data Security and Privacy – I require assurances that my personal data is securely stored, transmitted, and protected in compliance with applicable data protection laws. Please provide details on:
- Encryption standards and security protocols in place to safeguard my data.
- Retention policies specifying how long my data is stored before being deleted.
- Third-party access policies, including whether my data is shared with or accessible by any external entities.
- Compliance with Legal and Regulatory Standards – Please confirm whether Remote-Com.net adheres to relevant privacy laws, such as [applicable data protection regulations in your jurisdiction, e.g., GDPR, CCPA, etc.], and what recourse is available in the event of a data breach or misuse of my personal information.
I would appreciate a prompt response clarifying these matters, along with any supporting documentation outlining the legal framework governing Remote-Com.net usage. If any agreements or policies explicitly define these terms, please provide copies for my reference.
Thank you for your time and assistance. I look forward to your response.
He informs DataBreaches that they never replied.