[BreachExchange] Jailcore database leaks PII of inmates & correctional officers across US

Destry Winant destry at riskbasedsecurity.com
Mon Feb 17 10:13:42 EST 2020


https://www.hackread.com/jailcore-database-leaks-us-inmates-pii-correctional-officers/

The company that owns the database claim that since these are
incarcerated individuals, their rights differ substantially from the
free lot in terms of privacy.

A new data breach has taken place involving the information of inmates
this time as opposed to conventional cases. The data exposure was
discovered though an Amazon s3 bucket that belongs to a company named
JailCore which is a “correctional facility management and compliance
cloud-based application” as they advertise themselves.

Yet, the latter part of their service offering focused on creating a
cloud-based application has resulted in this crisis in the first
place. You see, to offer such a service, they needed to create a
database online. However, when they did so, it resulted in this
catastrophe where it was exposed to the public due to weak security
measures.

Initially, the database was discovered this year on January 3 and
reported to the firm 2 days later on January 5. However, due to a lack
of action on behalf of the company, the researchers had to notify the
USA’s Pentagon on January 15 which eventually led to the bucket being
taken down.

According to vpnMentor’s blog post, containing 36,077 files to be
precise, it hosted personally identifiable information (PII) of
inmates that were present in specific detention centers along with the
correctional officers. The information though can be divided into
several categories.

1: Firstly is the basic information that could be used to identify
each inmate comprising of their full name, date of birth, location of
their cell within the jail, their mugshot and booking number.

2: Secondly are the prescription records of inmates which comprise of
the following:

Medicine name
Dosage amount
Start and end date
Prescription quantity & refills remaining
Time/date administered
Full name of the correctional officer who administered (and, in some
cases, their signature)
If the inmate took the prescription or refused

3: Next up are the headcount reports which also include various fields
such as the date, name, ID & DOB of the inmate along with their cell
location. As if this wasn’t enough, one could also peek into their
specific activities categorized into the following:

Restroom
Shower
Meals
Return to cell
Visits
Recreation
Packages
Cleaning

4: Concerning the staff involved, we saw records pertaining to auditor
officers which dealt with again a range of parameters. These included
the observation type assigned to each member such as those having to
do headcounts, the date & time of their duty, the inmates observed and
their associated activities in their respective cells.

Currently, the States whose facilities have been affected by this
breach confirmedly include Florida, Kentucky, Missouri, Tennessee, and
West Virginia. This is not all though since each individual record was
not analyzed among the thousands of files found and hence it is
possible that other states are also in the loop.

The implications of this breach are two-fold. Firstly, we have the
usual identity theft concerns that could be used by malicious actors
to aid in social engineering which can be a further aid in attacks
such as phishing in the future.

Additionally, the person’s family members outside could be targeted
and since the inmate doesn’t have continuous access to the outside
world, they may not be able to warn others. Secondly, however, is a
more specific concern associated with this particular case.

Since the data leaked is related to prisoners, it could very well be
misused by certain people to stigmatize these inmates even once
they’re out of prison. What happens when you have your mugshot doing
rounds on the internet? Not much on the good side unless you’re classy
old Bill Gates.

Nonetheless, the response of JailCore was highly disappointing. They
put forward the claim that since these are incarcerated individuals,
their rights differ substantially from the free lot in terms of
privacy. Concerning, the authenticity of the records, they commented
on how,

“They are a startup company that currently works with 6 jails totaling
1,200 inmates. Not the 36,000 mentioned in an earlier email.”

Elaborating further on the facility names found in the records, the
company stated that,

“Of those 6 jails, only 1 is using the application to track medication
compliance is a 35 inmate jail and only 5 of those 35 inmates in that
jail has prescribed medication. Meaning all other reports with any
mention of medication were all used for demonstration purposes only.”

Tackling the issue of their lousy security, they’ve stated that they
use an “SHA-256 SSL Certificate” for transmitting data to and from
their server ensuring encryption is being done. Moreover, the data
itself is stored on Google’s Cloud Platform with “several layers of
encryption.”

Regardless of this, it is a fact that a considerate breach was seen
here and so to conclude, as, with the various similar cases we’ve seen
in the past, our suggestions remain the same. If companies started
implementing strict authentication measures, preferably two-factor
along with proper access based controls, such incidents would be
greatly reduced.


More information about the BreachExchange mailing list