Prison Phone Breach Opens Door to Constitutional Nightmare

An anonymous hacktivist has attacked Securus Technologies, the top provider of phone services inside US prisons and jails. About 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls, have been accessed—potentially leading to a widespread miscarriage of justice.

Only a few, FCC-compliant service providers serve the prison market. FCC regulations provide for tiered rates for jails to account for the higher costs of serving jails and prisons, because of the requirement for call recording and monitoring for law enforcement purposes. That means that these providers keep not only structured data (phone call metadata like phone numbers, call times and duration) and unstructured data:  the actual recordings of the phone calls. 

The hackers obtained both.

And obviously, the latter has the potential to obviate client-attorney privilege—a state of affairs that could have wide-ranging consequences. According to the Intercept, the vast trove of phone records includes what appear to be at least 14,000 recorded conversations between inmates and attorneys.

“Would the legal community be nearly as concerned if the fact that a certain prisoner made a 30-minute phone call to his attorney on January 4th at 3 pm were exposed?” said Jeff Hill, channel marketing manager with STEALTHbits, in an emailed comment. “It’s far more disconcerting that the recording of that discussion—possibly replete with sensitive details of the crime and his or her defense strategy—has been made public.”

The calls span a nearly two-and-a-half year period, beginning in December 2011 and ending in the spring of 2014.

Ironically, the hacker that claimed credit for the heist believes that Securus is violating the constitutional rights of inmates—and said that he or she was attempting to bring to light the call-recording activities of prisons. Of course, the very act has in and of itself set the stage for a much more immediately impactful violation of constitutional rights.

"The breach highlights the moral dichotomy inherent in hacktivism,” Hill said.

The situation also gets worse. Matt Garland, vice president of research at Pindrop Security and head of Pindrop Labs, pointed out that the people on the other end of the phone with the prisoners are likely to be targeted by fraudsters.

“The hack of Securus’ records not only revealed information about prisoners, but also provided fraudsters with enough data on friends and family members of the imprisoned to open them up to malicious phone scams,” he told Infosecurity. “Phone fraudsters notoriously prey on vulnerable populations such as the elderly, college students or immigrants. We can expect to see extortion scams targeting prisoner's friends and family whose names and numbers were included in the stolen database.”

These scams might include fraudsters impersonating law enforcement or prison authorities, claiming that either they must pay the prisoner's lawyers or court fees. Unfortunately, many families of prisoners are unlikely to be cyber-savvy, and provide a perfect target for these types of schemes.

Bottom line? Although the hacktivist believes he or she was acting in the best interests of those trapped in the criminal justice system, the reality is that he or she just made all of the affected inmates’ lives much worse—both when it comes to getting a fair trial, and when it comes to the financial safety of their loved ones.

What’s Hot on Infosecurity Magazine?