Thousands of login credentials were exposed.
A hacker appears to have successfully broken into the servers of Securus, a company that offers powerful tool for tracking civilians and monitoring inmates to law enforcement departments across the country.
During the breach, the hacker was able to access the login information of thousands of Securus’ clients and provided part of the stolen data to Motherboard, where journalists were able to verify the authenticity of credentials using the site’s password recovery option.
One spreadsheet pulled from the database holds the usernames, email addresses, cryptographically stored passwords, and security information of more than 2,800 accounts. Some of the passwords appeared to have been cracked and it was unclear if they had been stored insecurely in this way on the Securus system.
Government departments and law enforcement authorities from different cities and counties were affected by the hack, which also revealed login information for users with roles such as “prison captain” and “deputy warden.”
“The PII [personally identifying information] exposure in the (still) public user guide raises on question: does Securus have the culture and the procedures in place to protect sensitive PII? The answer appears to be no,” Professor Thomas Rid of Johns Hopkins University told Motherboard.
News of the breach comes just one week after the New York Times profiled the Dallas-based firm and how it sources its data from a range of major telecommunications providers, utilizing a loophole in privacy law to offer warrantless location tracking of mobile devices.
The hacker told Motherboard that the hack was not difficult and that Securus’ security was poor, which alarmed Sen. Ron Wyden (D-Ore.) given the nature of the firm’s business.
“If this account is true, it demonstrates, yet again, that Securus is failing cybersecurity 101, in total disregard for the privacy of the Americans whose communications and private data it should be protecting,” he said, criticizing the offer of warrantless tracking as both “abusive and potentially unlawful.”
Securus did not respond to requests for comment.