Report: Hackers Accessed Law Enforcement Agencies Across the Country Through Securus Technologies

“Most of the users in the spreadsheet are from U.S. government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others.”

by Libor Jany, Star Tribune / May 29, 2018

(TNS) — A hacker slipped into the servers of prison technology giant Securus Technologies and exposed thousands of potentially confidential records from law enforcement agencies across the United States, including in Minnesota, according to a technology website.

The compromised data included more than 2,800 user names, e-mail addresses, phone numbers, passwords and security questions — dating from 2011 to the present — of Securus law enforcement users. They were included in a spreadsheet that was shared by the hacker with Vice Motherboard. It was not immediately possible to independently verify the leak.

“Most of the users in the spreadsheet are from U.S. government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others,” the website reported. Motherboard did not name the local affected agency in its May 16 report.

According to its website, Securus works with “more than 3,400 public safety, law enforcement and corrections agencies and over 1.2 million inmates across North America.” Founded in 1986, the Dallas-based firm provides phone and video services for at least 18 detention centers in Minnesota — including the Hennepin and Ramsey county jails, as well as the Hennepin County workhouse — that also allow authorities to monitor both outgoing and incoming calls.

In Matt Ehling’s mind, any breach raises questions about how a company handles data collection and privacy.

“As more and more systems, government and private systems, have been connected up to the Internet, you just see more and more of these problems occur,” said Ehling, executive director of Public Record Media.

Under a state law adopted several years ago, companies and government agencies are required to notify consumers of all data breaches, he added.

Locally, officials downplayed the apparent breach.

Jon Collins, a spokesman for the Hennepin County Sheriff’s Office, which runs the county jail, said that Securus officials alerted them to the hack, insisting that no passwords or other sensitive data had been stolen.

“What we use Securus for was not affected by whatever data breach they had,” Collins said on Friday.

Less clear was whether the user names, e-mail addresses and phone numbers of sheriff’s employees had been leaked, but “it wouldn’t have been any information to allow somebody to get into the portal that we use for our jail phone system,” he said. Securus has since changed its security protocols, requiring all users to choose new passwords and confirm their ID, he said in a follow-up e-mail.

The Ramsey County Sheriff’s Office received a letter from Securus on May 22 informing the office that none of its data were compromised, according to Becqi Sherman, a spokeswoman.

Minneapolis police spokesman Scott Seroka said via e-mail that the department wasn’t affected by the hack, and messages left for other counties that contract with Securus went unreturned.

In a statement to Motherboard, Securus officials said the scope of the breach was limited, while adding that it is continuing its forensic investigation into the matter.

Concern about cybersecurity and safety has increased after several recent high-profile hacks.

In recent weeks, the New York Times has reported that Securus had been acquiring phone location data from major telecom providers like AT&T, Sprint, T-Mobile and Verizon and providing them to law enforcement agencies.

Such geolocation allows police and sheriff’s departments to track phones across the country with astonishing accuracy — and often with little oversight, the Times reported.

©2018 The Star Tribune (Minneapolis.) Distributed by Tribune Content Agency, LLC.