Securus prison technology company reportedly gets hacked


  • Securus
    is a prison technology company best known for providing phone
    services for inmates.
  • One of its lesser-known services is a geolocation
    service that lets law enforcement track almost any cell phone
    within seconds.
  • Last week, the 
    York Times
    reported that a Missouri sheriff is accused of
    using Securus technology to track people, including a judge,
    without a warrant. The incident raised security and privacy

  • According to
    , a hacker was able to breach the company’s
    server, and supplied the publication with internal

Securus, a prison technology company used by law enforcement
agencies across the country, has allegedly had its data breached
by a hacker, reports Motherboard.

The 10-year-old company came into the spotlight last week, when
New York Times reported
that Cory Hutcheson, a former
Missouri sheriff, was accused of allegedly using Securus services
to track the whereabouts of people’s cellphones, including a
judge and members of the highway patrol, without warrants.
Hutcheson pled not guilty. 

The Dallas-based company is one of the leading providers of
prison phone services, enabling inmates to communicate with the
outside world. However, it also offers an additional feature to
its customers in law enforcement — the ability to track the
location of any cell phone across the country, in seconds.

In theory, this location service is meant for benevolent uses,
like helping law enforcement solve crimes, or hospitals to
recover wayward patients with Alzheimers. Furthermore, when
inmates make a phone call, it gives prison staff a way to know
where, exactly, the person they’re speaking with is located.

Ahead of the Times report, however,
Senator Ron Wyden (D-OR) wrote a letter to the FCC
, as well
as AT&T, Verizon, Sprint, T-Mobile, and other wireless
service providers, demanding answers on the privacy implications
of the location-tracking services offered by Securus, as well as
asking for safeguards against the misuse of the service. 

Furthermore, the Times reports that Securus’ tracking tech works
even if GPS is switched off on the target’s phone: It uses cell
phone towers to triangulate the phone’s location, using tech
originally invented for marketing.
ZDNet has a deeper dive
on how this feat is accomplished, and
how Securus seems to use middleman companies to stay within the

It’s difficult to know how widely this service is being used —
not every Securus customer takes advantage of the geolocation
feature. However, it is fair to say that Securus is very popular
with domestic law enforcement agencies and prisons, with the
Times reporting that its customers number in the thousands.

On Wednesday, less than a week after the Times published its
story, Motherboard reported that hackers had supplied
it with a spreadsheet of internal company files on customers
who had bought Securus services since 2011, including personal
information on 2,800 Securus users.

Motherboard described the contents of this breach as including
“poorly secured passwords for thousands of Securus’ law
enforcement customers,” as well as usernames, email addresses,
phone numbers, and other personal information. And Motherboard
reports that it was able to verify that the information was

The data breach also reportedly includes that of Securus staff
members. And according to Motherboard, the roles of the users
listed in the spreadsheet that the hacker supplied include “jail
administrator” and “deputy warden,” indicating that much or even
most of the hacked data came from prison staff.

“If this account is true, it demonstrates, yet again, that
Securus is failing cybersecurity 101, in total disregard for the
privacy of the Americans whose communications and private data it
should be protecting,” Senator Wyden told Motherboard. He again
called on the FCC and wireless carriers to take action to protect
customer data.

Securus did not immediately respond for comment.

Read the full
New York Times report here
, and the
full Motherboard report here