How Kentucky prisoners hacked state-issued tablets, digitally created $1 million
What's the story
In a surprising turn of events, several hundred inmates in Kentucky prisons have managed to exploit their state-issued computer tablets.
The prisoners successfully manipulated a payments app to generate over $1 million in non-existent funds.
These virtual "dollars" were then used for various digital purchases such as email and video visits with family members, games, music, and movies.
Spending spree
Hackers spent $88,000 on digital media products
The scheme was uncovered on January 3, 2023, when an anonymous tip alerted state officials to the situation.
By this time, the inmates had already spent nearly $88,000 on digital media products.
This information was revealed through a review of over 1,700 pages of internal investigative records obtained by the Herald-Leader under Kentucky's Open Records Act.
Recovery efforts
Securus Technologies and Department of Corrections scramble to recover funds
Following the discovery of the hack, both Kentucky's Department of Corrections and Securus Technologies, the Texas-based company responsible for supplying the tablets, faced challenges in identifying who had made purchases with the illicit funds and how to recover them.
The complexity of this task was highlighted in an email exchange between Amanda Sayle, director of information services at Department of Corrections, and her colleague and information systems superviso Jeremy Shuck.
Hack
How did the prisoners create money
In December 2022, Securus introduced an app for Kentucky inmates, allowing them to transfer funds from their commissary accounts to Securus accounts for purchasing digital products.
LaDaniel Brown, an inmate, discovered a flaw. By placing a minus sign before a dollar amount during the transfer, he could artificially inflate his commissary and Securus balances. Typing "-$500" credited $500 to both accounts.
Brown exploited this glitch repeatedly, accumulating $1,892.55. The hack quickly spread among inmates, leading to widespread abuse.
Company's silence
Securus Technologies faces second major hack
This incident marks the second time that inmates have outsmarted Securus Technologies.
In 2018, several hundred Idaho prisoners hacked tablets provided by JPay, a company related to Securus, and transferred approximately $225,000 into their digital media accounts.
Despite these significant security breaches, Securus Technologies has not responded to requests for comment on the matter as per Herald-Leader.
Official response
No taxpayer money lost in hacking
In response to the recent incident, a spokeswoman for the Justice and Public Safety Cabinet, which oversees Kentucky's Department of Corrections, clarified that no taxpayer money was lost due to this "software glitch."
The spokeswoman also stated that only Securus could provide details on their efforts to retrieve the stolen funds.
To recover some of these losses, liens (possession of property) have been placed on inmates' prison commissary accounts and deductions are being made from these accounts.
Consequences
Inmates face restrictions and debt recovery measures
In the aftermath of the hack, prison officials have imposed restrictions on inmates involved in the incident.
These individuals were barred from accessing their tablets for over three months.
Additionally, any inmate who still owes money is prohibited from using the phone system until their debt is cleared.
These measures are part of ongoing efforts to recover the funds lost in this security breach.
Company's background
Securus Technologies' history and contract with Kentucky
Securus Technologies has been providing for-profit inmate telephone services to all Kentucky prisons since 2006. The company later expanded its offerings to include other digital products.
As part of its agreement with the Department of Corrections, Securus shares a portion of the money it collects from inmates with the state.
Since 2020, it has paid Kentucky $22.3 million under this arrangement.