Science

Massive data leak exposes medical records, mugshots and IDs of more than 36,000 US inmates


Tens of thousands of files belonging to US inmates were leaked online.

Cyber security researchers discovered a bucket containing the mugshots, full names, IDs, medical records and other sensitive information of 36,077 incarcerated individuals.

JailCore, a platform used to manage correctional facilities, was left unsecure and unencrypted on an Amazon server, impacting locations in Florida, Kentucky, Missouri, Tennessee and West Virginia

The bucket was discovered by vpmMentor on January 3rd, but was not closed until nearly two weeks later – leaving enough data exposed online for cybercriminals to steal the person’s identity.

Cyber security researchers discovered a bucket containing the mugshots, full names, IDs, medical records and other sensitive information of 36,077 incarcerated individuals

Cyber security researchers discovered a bucket containing the mugshots, full names, IDs, medical records and other sensitive information of 36,077 incarcerated individuals

The team explained that stealing a person’s identify who is in jail can cause greater damage, as it may take some time to discover they have been scammed.

Hackers could also use their information to engage in other illegal activity such as credit card fraud and scams on families.

The data leak was first spotted on January 3rd and vpnMentor quickly reached out to JailCore directly on January 5th.

DailyMail.com has contacted JailCore for comment and has yet to receive a response. 

According to vpnMentor, JailCore refused to accept the disclosure of their findings, and demanded that the information be sent over via fax.

JailCore was left unsecure and unencrypted on an Amazon server, impacting locations in Florida, Kentucky, Missouri, Tennessee and West Virginia The bucket was discovered by vpmMentor on January 3rd, but was not closed until nearly two weeks later

JailCore was left unsecure and unencrypted on an Amazon server, impacting locations in Florida, Kentucky, Missouri, Tennessee and West Virginia The bucket was discovered by vpmMentor on January 3rd, but was not closed until nearly two weeks later

JailCore responded to the information of the data breach presented by vpnMentor with: ‘We are a startup company that currently works with 6 jails totaling 1,200 inmates. Not the 36,000 mentioned in an earlier email,’ JailCore told vpnMentor. 

‘Of those 6 jails, only 1 is using the application to track medication compliance is a 35 inmate jail and only 5 of those 35 inmates in that jail has a prescribed medication.

‘Meaning all other reports with any mention of medication were all used for demonstration purposes only.’ 

‘These are incarcerated individuals, not free citizens. Meaning, the same privacy laws that you and I enjoy, they do not.’

‘I would implore you to get all facts straight before writing/publishing anything. You cannot look at this like an example of a private citizen getting certain private information hacked from the cloud’.

Data leaked included inmates' prescription records – such as medicine name, dosage, and whether the inmate accepted the medicine – full names, mugshots, booking numbers, inmate IDs, activity logs and more

Data leaked included inmates’ prescription records – such as medicine name, dosage, and whether the inmate accepted the medicine – full names, mugshots, booking numbers, inmate IDs, activity logs and more

The team explained that stealing a person's identify who is in jail can cause greater damage, as it may take some time to discover they have been scammed. Hackers could also use their information to engage in other illegal activity such as credit card fraud and scams on families

The team explained that stealing a person’s identify who is in jail can cause greater damage, as it may take some time to discover they have been scammed. Hackers could also use their information to engage in other illegal activity such as credit card fraud and scams on families

‘These are incarcerated individuals who are PROPERTY OF THE COUNTY (this is even printed on their uniforms)….they don’t enjoy our same liberties.’

After informing the Pentagon of the breach on January 15th, the S3 Bucket leak was eventually closed by January 16th.

Ariel Hochstadt, Co-Founder of vpnMentor said: ‘For a technology company, our research team found it odd that there was no available privacy policy nor terms of service for JailCore, and their site is being served unencrypted without an SSL certificate.’ 

‘We were able to access Jailcore’s S3 bucket because it was completely unsecured and unencrypted. 

‘JailCore could have easily avoided this leak if they had taken some basic security measures to protect the S3 Bucket, such as securing their servers and implementing proper access rules.’ 

Data leaked included inmates’ prescription records – such as medicine name, dosage, and whether the inmate accepted the medicine – full names, mugshots, booking numbers, inmate IDs, activity logs and more. 

Full names and signatures of correctional officers and drug administrators were also exposed. 

‘Each detainee that was checked into a detention center, from what we could see, has a number of PII about themselves and their mugshots logged into the system, vpnMentor explained in a blog post. ‘

‘A portion of this is shared in an online, publicly-accessible roster of current inmates when it comes to county jails, for example.’ 

‘What’s not meant to be available to all is individual specific medication information and additional sensitive data.’ 

‘Also included were the full names of correctional officers (and occasionally their signature), associated with personally-filled out observation reports and the like. 

Although JailCore was not pleased about hearing there was a leak it did state ‘data Security is of utmost importance here at JailCore.’ 

‘We ensure all of our data is encrypted end to end as well as when it is at rest.’



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.