CarriersCyberCrimeLegalNetworksProjectsRegulationSecuritySecurity ManagementService ProvidersSurveillance-IT

Prison Phone Provider Securus Suffers Massive Hack

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Google + Linkedin Subscribe to our newsletter Write a comment

Significant hack of Securus comprimises over 70 million records of prison phone calls

A serious hack has compromised over 70 million prison phone call records in the United States.

The enormous cache phone records was obtained by The Intercept, and the data comes from Dallas-based Securus Technologies, a leading provider of phone services in jails and prisons in America.

The firm says it services 2,600 public safety, law enforcement and corrections agencies and over a million inmates across North America.

Legal Implications

The cache of phone records was leaked via SecureDrop by an anonymous hacker. This hacker apparently believes that Securus is violating the constitutional rights of inmates.

The phone records include links to downloadable recordings of the calls that happened between December 2011 and the spring of 2014.

bended barsThis significance of what reportedly is 14,000 recorded conversations, said to include calls between inmates and attorneys, will no doubt have significant legal implications as these are deemed to be confidential and privileged legal communications.

The fact that these calls have been recorded at all also raises constitutional issues, including the right to effective assistance of counsel and of access to the courts.

“This may be the most massive breach of the attorney-client privilege in modern US history, and that’s certainly something to be concerned about,” said David Fathi, director of the ACLU’s National Prison Project was quoted as saying. “A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.”

The phone records database is also said to include prisoners’ first and last names; the phone numbers they called; the date, time, and duration of the calls; the inmates’ Securus account numbers; as well as other information. In addition to metadata, each phone call record includes a “recording URL” where the audio recordings of the calls can be downloaded.

Not Hacked?

But Securus has said that there is no evidence its systems were breached in a statement.

“Securus is contacting law enforcement agencies in the investigation into media reports that inmate call records were leaked online,” it said. “Although this investigation is ongoing, we have seen no evidence that records were shared as a result of a technology breach or hack into our systems. Instead, at this preliminary stage, evidence suggests that an individual or individuals with authorised access to a limited set of records may have used that access to inappropriately share those records.”

“We will fully support law enforcement in prosecution of any individuals found to have illegally shared information in this case,” the firm added.

“It is very important to note that we have found absolutely no evidence of attorney-client calls that were recorded without the knowledge and consent of those parties,” it added. “Our calling systems include multiple safeguards to prevent this from occurring. Attorneys are able to register their numbers to exempt them from the recording that is standard for other inmate calls. Those attorneys who did not register their numbers would also hear a warning about recording prior to the beginning of each call, requiring active acceptance.”

Securus said it is coordinating with law enforcement and will provide updates as the investigation proceeds.

Data Equality

At least one security expert has said that the hack shows how not all data is created equal.

“Of course the problem we have here is how the data was compromised,” said Mark James, Security Specialist at IT Security Firm, ESET. “If it was encrypted and someone with the authority to view or access it in the first place was able to make copies and or move this data off site, then the question should be why was the data not segregated off and stored with multi factor access or even digitally encoded for tracing purposes?”

“If the data was not encrypted and it was accessed by someone who managed to compromise the system, then of course why it was not encrypted is the big question,” said James.

“Quite often in these cases the storing of this data is governed by general rules to protect data as a whole and sadly not all data is equal,” said James. “Some data needs to be protected differently than others, the data is now ‘in the wild’ and nothing can be done about that.”

“Securous will have to deal with the backlash of that and look at measures to protect the storage of future data in an attempt to stop this from happening again,” he added. “In these circumstances access to this data could have massive repercussions due to the nature of the content and it should have been better protected.”

Are you a security pro? Try our quiz!