[BreachExchange] Idaho Prison Officials: Inmates Hacked System to Get Credits

[Inga Goddijn]

https://www.usnews.com/news/best-states/idaho/articles/2018-07-26/prison-officials-idaho-inmates-hacked-jpay-tablet-system

Idaho prison officials say 364 inmates exploited vulnerable software in the
JPay tablets they use for email, music and games to collectively transfer
nearly a quarter million dollars into their own accounts.

The department's special investigations unit discovered the problem earlier
this month, and the improper conduct involved no taxpayer dollars, Idaho
Department of Correction spokesman Jeff Ray said on Thursday.

The hand-held computer tablets are popular in prisons across the country,
and they are made available to Idaho inmates through a contract with
CenturyLink and JPay. The tablets allow inmates to email their families and
friends, purchase and listen to music or play simple electronic games.

"JPay is proud to provide services that allow incarcerated individuals to
communicate with friends and family, access educational programming, and
enjoy positive entertainment options that help prevent behavioral issues,"
JPay spokesperson Jade Trombetta said in a prepared statement. "While the
vast majority of individuals use our secure technology appropriately, we
are continually working to improve our products to prevent any attempts at
misuse."

Mark Molzen, the spokesman for CenturyLink, said the problem involved
inmates "intentionally exploiting a software vulnerability to increase
their JPay account balances," but said he couldn't provide details because
CenturyLink considers it proprietary information. Molzen said the
vulnerability issue has since been resolved, however.

Idaho Department of Correction spokesman Jeff Ray said in a prepared
statement that 50 inmates credited their accounts in amounts exceeding
$1,000; the largest amount credited by a single inmate was just under
$10,000.

In all, nearly $225,000 was credited into the 364 inmates' accounts.

"This conduct was intentional, not accidental. It required a knowledge of
the JPay system and multiple actions by every inmate who exploited the
system's vulnerability to improperly credit their account," Ray said in a
prepared statement.

So far, JPay has recovered more than $65,000 worth of credits, and the
company has suspended the ability of the inmates to download music and
games until they compensate JPay for its losses, Ray said. The inmates are
still able to send and receive emails, however.

Meanwhile, the Idaho Department of Correction has issued disciplinary
offense reports to the inmates who were allegedly involved, which means
they could lose privileges and may be reclassified to a higher security
risk level.

The inmates involved are housed at the Idaho State Correctional
Institution, Idaho State Correctional Center, Idaho Correctional
Institution-Orofino, South Idaho Correctional Institution and the
Correctional Alternative Placement Plan facility operated by private prison
company MTC Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180730/bac3d99b/attachment.html>