Across a series of Idaho correctional facilities, 364 inmates exploited a software vulnerability in mobile tablets to transfer a total of $225,000 worth of multimedia credits into their own accounts — manipulating a system normally used to access email, music and games for a small fee.
As first reported by the AP , the inmates exploited a software vulnerability in tablets from JPay . The company charges inmates a fee via a credit-based system for access email, music, games, educational tools or video messaging on its tablets, which are either bought for inmates by friends and family or provided to the facilities en masse at no cost.
The Idaho hackers obtained their hand-held tablets thanks to a contract held by the Idaho Department of Correction with JPay and CenturyLink. The hack was discovered earlier this month by the correction department’s special investigations unit, which reported 50 inmates each crediting more than $1,000 into their accounts and at least one inmate crediting nearly $10,000.
“JPay is proud to provide services that allow incarcerated individuals to communicate with friends and family, access educational programming, and enjoy positive entertainment options that help prevent behavioral issues,” JPay spokesperson Jade Trombetta said in a statement responding to news of the hack. “While the vast majority of individuals use our secure technology appropriately, we are continually working to improve our products to prevent any attempts at misuse.”
Jeff Ray, a spokesperson for the state’s corrections department issued a statement clarifying that “this conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.”
CenturyLink did not disclose the specifics of the vulnerability owing to the proprietary nature of the technology, but Mark Molzen, a spokesman for CenturyLink, told the AP the issue has been resolved. JPay also reports it has recovered $65,000 in unauthorized credits and suspended access to its systems until the inmates compensate JPay for its losses, according to the AP.
Access to technology for prisoners is a polarizing issue, particularly in light of potential security concerns the tools could present. Conversely, Russ Nichols, chief information officer for California’s Department of Corrections and Rehabilitation said last year that it was his goal to make digital technology and tablets available to “every inmate, to every staff member, to every contractor or private company that comes in for any reason.”