Securus prison phone call data breach raises privacy, supply chain questions
The large breach of Securus Technologies prison raises a number of privacy concerns and is a wakeup call for prisons and other organizations to tighten security at every point in their supply chains.
The large breach of Securus Technologies prison phone call data that exposed more than 70 million phone records of prisoners in 37 states and, in many instances, revealed the content of privileged conversations between inmates and their attorneys, raises a number of privacy concerns and is a wakeup call for prisons and other organizations to tighten security at every point in their supply chains.
Records of the calls were leaked to the Intercept through its SecureDrop in an effort to expose what an anonymous hacker believes are constitutional rights violations on the part of Securus, according to a report from the Intercept.
“This hack makes it crystal clear that the collection of all forms of sensitive personal information can be a liability to an organization,” Ken Westin, senior security analyst at Tripwire, said in emailed comments to SCMagazine.com.
Securis, whose platform boasts 1.2 million prisoners and in 2012 fielded about 1 million calls daily, hawks its system on its website as “the most technologically advanced audio and video communications platform to allow calls with a high level of security” and underscores that the “confidentiality of calls is critical,” pledging to follow all laws—local, state and federal.
But recording privileged communications between attorneys and prisoners, as evidenced by the more than 14,000 recordings sent to the Intercept, could tread all over prisoners' constitutional rights.
"It is very important to note that we have found absolutely no evidence of attorney-client calls that were recorded without the knowledge and consent of those parties. Our calling systems include multiple safeguards to prevent this from occurring. Attorneys are able to register their numbers to exempt them from the recording that is standard for other inmate calls. Those attorneys who did not register their numbers would also hear a warning about recording prior to the beginning of each call, requiring active acceptance," Securus said in a statement.
David C. Fathi, director of the ACLU's National Prison Project told SCMagazine.com that Securus' methodology to protect attorney-client privilege is unacceptable.
"This is not sufficient. There has to be an option to make an unmonitored call," he said, adding that if an inmate believes for a minute that a call to his lawyer is being monitored than it could hinder what is discussed.
The records leaked to the Intercept were drawn from a more than two-year period beginning December 2011 and ending in the spring of 2014.
Cautioning against the inevitable “finger wagging done at Securus for their role in this,” Lieberman Software Vice President Jonathan Sander urged the industry and critics “to step back and see this a broader context of how we're failing at every layer of cybersecurity.”
He said that claims that the breach “breaks the promise Securus made about a superior security platform” may be premature. “Looking at what's happened and what they promised that doesn't seem to be the case.”
Sander, who believes that Securus had created a secure platform with solid controls, said “the blame might not even be with Securus.”
That's a sentiment echoed by Tripwire Director of IT Security and Risk Strategy Tim Erlin who pointed out in emailed comments to SCMagazine.com that “Securus is part of the prison supply chain, and a weakness they exhibited may not have been adequately evaluated by the prison management.”However, Intercept also reported that the Securus platform had been breached before, referring to documents the Intercept received from a Texas attorney, when a hacker accessed at least three calls from a prisoner identified as Aaron Hernandez, likely the New England Patriots football player who was accused and convicted of killing a friend.
Facilitating prisoner communications with the outside world is a lucrative business for Securus and its competitors, such as Global Tel*Link. Securus pulled down revenue of more than $404 million in 2014. But the Federal Communications Commission has taken steps to put an end to what most see as unfair pricing, ruling in October that companies to cap those rates.
The wide expanse of the Securus breach will likely have legal, financial, privacy and security ramifications going forward.
“Unfortunately for the victims of this hack, this is probably just the beginning. We've seen a trend where phone fraud follows high-profile cyber breaches,” Matt Garland, vice president of research at Pindrop Security and head of Pindrop Labs, said in comments emailed to SCMagazine.com. “For example, after the Ashley Madison hack, victims received calls demanding payment or their account information would be sent to everyone they know.”
Not only was the personal information of prisoners revealed, fraudsters now have “enough data on friends and family members of the imprisoned to open them up to malicious phone scams,” he said. “Phone fraudsters notoriously prey on vulnerable populations such as the elderly, college students or immigrants.”
Likely scams might include extortion schemes aimed at friends and families of prisoners. “These scams might including fraudsters impersonating law enforcement or prison authorities, claiming that either they must pay the prisoner's lawyers or court fees,” Garland said.
He added that “the onus is now on the prisons to open the lines of communication so that those affected can be prepared and won't be further victimized."
To prevent further breaches, Erlin urged prisons to “actively look at other areas of their supply chain that might represent cybersecurity risks.”
Online Editor Doug Olenick contributed to this story.UPDATED with comments from the ACLU and Securus Technologies.