Prison Phone Breach Opens Door to Constitutional Nightmare

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/news/prison-phone-breach-constitutional/

An anonymous hacktivist has attacked Securus Technologies, the top provider
of phone services inside US prisons and jails. About 70 million records of
phone calls, placed by prisoners to at least 37 states, in addition to
links to downloadable recordings of the calls, have been
accessed—potentially leading to a widespread miscarriage of justice.

Only a few, FCC-compliant service providers serve the prison market. FCC
regulations provide for tiered rates for jails to account for the higher
costs of serving jails and prisons, because of the requirement for call
recording and monitoring for law enforcement purposes. That means that
these providers keep not only structured data (phone call metadata like
phone numbers, call times and duration) and unstructured data:  the actual
recordings of the phone calls.

The hackers obtained both.

And obviously, the latter has the potential to obviate client-attorney
privilege—a state of affairs that could have wide-ranging consequences.
According to the Intercept, the vast trove of phone records includes what
appear to be at least 14,000 recorded conversations between inmates and
attorneys.

“Would the legal community be nearly as concerned if the fact that a
certain prisoner made a 30-minute phone call to his attorney on January 4th
at 3 pm were exposed?” said Jeff Hill, channel marketing manager with
STEALTHbits, in an emailed comment. “It’s far more disconcerting that the
recording of that discussion—possibly replete with sensitive details of the
crime and his or her defense strategy—has been made public.”

The calls span a nearly two-and-a-half year period, beginning in December
2011 and ending in the spring of 2014.

Ironically, the hacker that claimed credit for the heist believes that
Securus is violating the constitutional rights of inmates—and said that he
or she was attempting to bring to light the call-recording activities of
prisons. Of course, the very act has in and of itself set the stage for a
much more immediately impactful violation of constitutional rights.

"The breach highlights the moral dichotomy inherent in hacktivism,” Hill
said.

The situation also gets worse. Matt Garland, vice president of research at
Pindrop Security and head of Pindrop Labs, pointed out that the people on
the other end of the phone with the prisoners are likely to be targeted by
fraudsters.

“The hack of Securus’ records not only revealed information about
prisoners, but also provided fraudsters with enough data on friends and
family members of the imprisoned to open them up to malicious phone scams,”
he told Infosecurity. “Phone fraudsters notoriously prey on vulnerable
populations such as the elderly, college students or immigrants. We can
expect to see extortion scams targeting prisoner's friends and family whose
names and numbers were included in the stolen database.”

These scams might include fraudsters impersonating law enforcement or
prison authorities, claiming that either they must pay the prisoner's
lawyers or court fees. Unfortunately, many families of prisoners are
unlikely to be cyber-savvy, and provide a perfect target for these types of
schemes.

Bottom line? Although the hacktivist believes he or she was acting in the
best interests of those trapped in the criminal justice system, the reality
is that he or she just made all of the affected inmates’ lives much
worse—both when it comes to getting a fair trial, and when it comes to the
financial safety of their loved ones.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!