Secure Your City: Correctional Facilities

by Sarah Harvey / May 23rd, 2019

As technology advances, it touches every facet of society – and that includes correctional facilities. There’s an obvious need and investment in physical security at correctional facilities, but cybersecurity is presenting new areas of risk in prisons and detention centers. New technology makes it possible for inmates to send messages, read e-books, download music, participate in video visitation, and receive money transfers. What happens if that technology is compromised by an inmate or a hacker? Is cybersecurity for correctional facilities a major area of concern?

The Need for Effective Cybersecurity for Correctional Facilities

If you’re having trouble understanding cybersecurity for correctional facilities, take a look at the 2018 JPay incident. JPay is a service provider completely focused on correctional facilities, touting itself as “your home for corrections services.” JPay isn’t the only service provider for correctional facilities, but it is one of the most widely available. If you don’t have a family or friend in prison, you’ve probably never heard of JPay, but JPay is the sole provider of e-messaging services in 20 states. Along with e-messaging and other services, JPay has introduced tablets specifically made for inmates. In 2018, though, hundreds of inmates in Idaho found a way to add thousands of dollars of credit to their JPay accounts. The spokesman for the Idaho Department of Correction reported that over 300 inmates across five correctional facilities intentionally credited their JPay accounts by $224,772.40, which “required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.” Fortunately, this incident didn’t impact taxpayer money or inmates’ bank accounts, only their JPay accounts. This incident, though, proves  a lack of understanding cybersecurity for correctional facilities and that there are vulnerabilities within new technology that must be mitigated.

Securus Technologies, a prison technology company providing phone and video visitation services, has had several incidents that compromised data. In 2015, an anonymous hacker stole 70+ million records of phone calls placed by prisoners in at least 37 states, with links to downloadable recordings of the calls. This is bad enough for Securus, until you consider the nature of these calls. At least 14,000 of these recorded conversations were between inmates and their attorneys – calls that, legally, probably shouldn’t have been recorded in the first place in order to protect attorney-client communications. The Intercept reported that David Fathi, director of the ACLU’s National Prison Project, said, “This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about. A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.” In addition to Securus’ 2015 breach, in 2018 it was reported that Securus sold law enforcement data that gave them the ability to look up the location of cell phones on all of the major U.S. mobile networks. When Securus was hacked, its database of law enforcement officer usernames and passwords  was exposed.

These JPay and Securus examples don’t even cover the risks that face the technology that supports physical security. What happens if a cyber attack impacts the effectiveness of cell locks? What happens when security cameras stop working? Would a prison pay a ransom if a hacker infected their systems with ransomware? As technology advances and spread to prisons, so does the attack surface. Whether it’s from the inmate or an external hacker, there’s definite motivation behind hacking a prison’s connected technology. What does cyberecurity for correctional facilities look like in your city?

Cybersecurity Challenges within Prisons

When managing the security of prisons, developing and implementing effective cybersecurity strategies may not seem as important as physical security. Cybersecurity versus guards, surveillance, locks, and weapons? Cybersecurity cannot continue to be pushed aside due to limited budgets, lack of leadership, or lack of interest. Contact us today to learn more about how what the risk factors in your correctional facility are and how to implement effective cybersecurity strategies.

More Cybersecurity Resources

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?