The company that owns the database claim that since these are incarcerated individuals, their rights differ substantially from the free lot in terms of privacy.
A new data breach has taken place involving the information of inmates this time as opposed to conventional cases. The data exposure was discovered though an Amazon s3 bucket that belongs to a company named JailCore which is a “correctional facility management and compliance cloud-based application” as they advertise themselves.
Yet, the latter part of their service offering focused on creating a cloud-based application has resulted in this crisis in the first place. You see, to offer such a service, they needed to create a database online. However, when they did so, it resulted in this catastrophe where it was exposed to the public due to weak security measures.
Initially, the database was discovered this year on January 3 and reported to the firm 2 days later on January 5. However, due to a lack of action on behalf of the company, the researchers had to notify the USA’s Pentagon on January 15 which eventually led to the bucket being taken down.
According to vpnMentor’s blog post, containing 36,077 files to be precise, it hosted personally identifiable information (PII) of inmates that were present in specific detention centers along with the correctional officers. The information though can be divided into several categories.
1: Firstly is the basic information that could be used to identify each inmate comprising of their full name, date of birth, location of their cell within the jail, their mugshot and booking number.
2: Secondly are the prescription records of inmates which comprise of the following:
- Medicine name
- Dosage amount
- Start and end date
- Prescription quantity & refills remaining
- Time/date administered
- Full name of the correctional officer who administered (and, in some cases, their signature)
- If the inmate took the prescription or refused
3: Next up are the headcount reports which also include various fields such as the date, name, ID & DOB of the inmate along with their cell location. As if this wasn’t enough, one could also peek into their specific activities categorized into the following:
- Return to cell
4: Concerning the staff involved, we saw records pertaining to auditor officers which dealt with again a range of parameters. These included the observation type assigned to each member such as those having to do headcounts, the date & time of their duty, the inmates observed and their associated activities in their respective cells.
Currently, the States whose facilities have been affected by this breach confirmedly include Florida, Kentucky, Missouri, Tennessee, and West Virginia. This is not all though since each individual record was not analyzed among the thousands of files found and hence it is possible that other states are also in the loop.
The implications of this breach are two-fold. Firstly, we have the usual identity theft concerns that could be used by malicious actors to aid in social engineering which can be a further aid in attacks such as phishing in the future.
Additionally, the person’s family members outside could be targeted and since the inmate doesn’t have continuous access to the outside world, they may not be able to warn others. Secondly, however, is a more specific concern associated with this particular case.
Since the data leaked is related to prisoners, it could very well be misused by certain people to stigmatize these inmates even once they’re out of prison. What happens when you have your mugshot doing rounds on the internet? Not much on the good side unless you’re classy old Bill Gates.
Nonetheless, the response of JailCore was highly disappointing. They put forward the claim that since these are incarcerated individuals, their rights differ substantially from the free lot in terms of privacy. Concerning, the authenticity of the records, they commented on how,
“They are a startup company that currently works with 6 jails totaling 1,200 inmates. Not the 36,000 mentioned in an earlier email.”
Elaborating further on the facility names found in the records, the company stated that,
“Of those 6 jails, only 1 is using the application to track medication compliance is a 35 inmate jail and only 5 of those 35 inmates in that jail has prescribed medication. Meaning all other reports with any mention of medication were all used for demonstration purposes only.”
Tackling the issue of their lousy security, they’ve stated that they use an “SHA-256 SSL Certificate” for transmitting data to and from their server ensuring encryption is being done. Moreover, the data itself is stored on Google’s Cloud Platform with “several layers of encryption.”
Regardless of this, it is a fact that a considerate breach was seen here and so to conclude, as, with the various similar cases we’ve seen in the past, our suggestions remain the same. If companies started implementing strict authentication measures, preferably two-factor along with proper access based controls, such incidents would be greatly reduced.