Establishing Digital Trust: Don't Sacrifice Security for Convenience
Reporters at The Intercept recently received a 37 GB cache of records of more than 70 million phone calls apparently stolen from Securus Technologies, which provides phone services for approximately 2,200 U.S. prisons.
The calls were placed between December 2011 and the spring of 2014 -- the records include calls placed to almost 1.3 million unique phone numbers by more than 63,000 inmates.
The records include prisoners' first and last names; phone numbers called; date, time and duration of calls; and Securus account numbers.
Notably, the records also include links to downloadable recordings of each call, including at least 14,000 conversations between inmates and their attorneys.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that's certainly something to be concerned about," David Fathi, director of the ACLU's National Prison Project, told The Intercept. "A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not."
"Going forward, prisoners will have very good cause to question whether their phone calls with their attorneys are confidential," Fathi added. "And that undermines that very core and fundamental purpose of the attorney-client privilege, which is to allow persons consulting an attorney to give a full and frank account of their legal problem."
According to The Intercept, Securus' system was also breached on July 18, 2014, when someone accessed three calls made by an inmate named Aaron Hernandez, possibly the former New England Patriots player.
In response to The Intercept's report, Securus stated that it's working with law enforcement agencies to investigate the claims. "Although this investigation is ongoing, we have seen no evidence that records were shared as a result of a technology breach or hack into our systems," the company said. "Instead, at this preliminary stage, evidence suggests that an individual or individuals with authorized access to a limited set of records may have used that access to inappropriately share those records."
"It is very important to note that we have found absolutely no evidence of attorney-client calls that were recorded without the knowledge and consent of those parties," Securus added. "Our calling systems include multiple safeguards to prevent this from occurring. Attorneys are able to register their numbers to exempt them from the recording that is standard for other inmate calls. Those attorneys who did not register their numbers would also hear a warning about recording prior to the beginning of each call, requiring active acceptance."
Matt Garland, vice president of research at Pindrop Security, told eSecurity Planet by email that for those affected by the breach, this is unfortunately likely to be just the beginning. "We’ve seen a trend where phone fraud follows high-profile cyber breaches," he said. "For example, after the Ashley Madison hack, victims received calls demanding payment or their account information would be sent to everyone they know."
"The hack of Securus’ records not only revealed information about prisoners, but also provided fraudsters with enough data on friends and family members of the imprisoned to open them up to malicious phone scams," Gardland added. "Phone fraudsters notoriously prey on vulnerable populations such as the elderly, college students or immigrants. We can expect to see extortion scams targeting prisoner's friends and family whose names and numbers were included in the stolen database. These scams might include fraudsters impersonating law enforcement or prison authorities, claiming that either they must pay the prisoner's lawyers or court fees."
"It is important for the victims of this breach to stay diligent and to be skeptical of any demands for immediate payment," Garland said. "Victims should hang up and call the authorities directly. The onus is now on the prisons to open the lines of communication so that those affected can be prepared and won’t be further victimized."
A recent eSecurity Planet article looked at the ways in which phone scams are getting increasingly sophisticated, and offered five suggestions on how to handle a scam call.