in

Massive data leak exposes medical records, mugshots and IDs of more than 36,000 US inmates

Tens of thousands of files belonging to US inmates were leaked online.

Cyber security researchers discovered a bucket containing the mugshots, full names, IDs, medical records and other sensitive information of 36,077 incarcerated individuals.

JailCore, a platform used to manage correctional facilities, was left unsecure and unencrypted on an Amazon server, impacting locations in Florida, Kentucky, Missouri, Tennessee and West Virginia

The bucket was discovered by vpmMentor on January 3rd, but was not closed until nearly two weeks later – leaving enough data exposed online for cybercriminals to steal the person’s identity.

However, a JailCore spokesperson told DailyMail.com that many of the files in the bucket are for demonstration purposes only and are not information of real inmates.

In addition, personal information of inmates is not governed under the same laws as free citizens, it is public information, the spokesperson continued.  

JailCore also explained that jails are not HIPAA compliant – meaning their medical information is does not have to be kept private. 

Cyber security researchers discovered a bucket containing the mugshots, full names, IDs, medical records and other sensitive information of 36,077 incarcerated individuals

Cyber security researchers discovered a bucket containing the mugshots, full names, IDs, medical records and other sensitive information of 36,077 incarcerated individuals

When it comes to keeping medical records private HIPAA may apply to inmate’s medical records, the privacy of health information about individuals in pretrial release, probation, or on parole is not protected by HIPAA, according to Corrections.com

The team explained that stealing a person’s identify who is in jail can cause greater damage, as it may take some time to discover they have been scammed.

Hackers could also use their information to engage in other illegal activity such as credit card fraud and scams on families.

According to vpnMentor, JailCore refused to accept the disclosure of their findings, and demanded that the information be sent over via fax. 

The data leak was first spotted on January 3rd and vpnMentor quickly reached out to JailCore directly on January 5th.

JailCore told DailyMail.com in an interview that they ‘are a startup with six clients who house 1,200 inmates.’

JailCore was left unsecure and unencrypted on an Amazon server, impacting locations in Florida, Kentucky, Missouri, Tennessee and West Virginia The bucket was discovered by vpmMentor on January 3rd, but was not closed until nearly two weeks later

JailCore was left unsecure and unencrypted on an Amazon server, impacting locations in Florida, Kentucky, Missouri, Tennessee and West Virginia The bucket was discovered by vpmMentor on January 3rd, but was not closed until nearly two weeks later

‘It is not fair that people [vpnMentor] are able to publish whatever they like without getting the facts.’ 

‘None of the information found in the bucket is deemed private, as an inmate does not have the same privacy laws as we do.’

‘Jails are also not HIPAA compliant, so none of their medical records are deemed private.

‘These individuals are the property of the county, which it says on the back of their clothing.’

‘They do not get to decide what to do or where to go, they do not have the same privileges as we do.’ 

‘If the correction facilities that housed Jeff Epstein and Aaron Hernandez were using JailCore they may still be alive because we aim at providing transparency for jails and their staff.’ 

The JailCore spokes person continued to explain that the many of the documents found in the bucket were for demonstration purposes and not actual information on inmates.

‘We understand that the bucket was left online unsecured,’ the spokesperson continued, ‘but that issue has been rectified and it is now secure.’    

Data leaked included inmates' prescription records – such as medicine name, dosage, and whether the inmate accepted the medicine – full names, mugshots, booking numbers, inmate IDs, activity logs and more

Data leaked included inmates’ prescription records – such as medicine name, dosage, and whether the inmate accepted the medicine – full names, mugshots, booking numbers, inmate IDs, activity logs and more

The team explained that stealing a person's identify who is in jail can cause greater damage, as it may take some time to discover they have been scammed. Hackers could also use their information to engage in other illegal activity such as credit card fraud and scams on families

The team explained that stealing a person’s identify who is in jail can cause greater damage, as it may take some time to discover they have been scammed. Hackers could also use their information to engage in other illegal activity such as credit card fraud and scams on families

After informing the Pentagon of the breach on January 15th, the S3 Bucket leak was eventually closed by January 16th.

DailyMail.com has contacted the Perry County jail in Missouri, as they are shown in the leak, for a statement, but they refused to comment.

Ariel Hochstadt, Co-Founder of vpnMentor said: ‘For a technology company, our research team found it odd that there was no available privacy policy nor terms of service for JailCore, and their site is being served unencrypted without an SSL certificate.’ 

‘We were able to access Jailcore’s S3 bucket because it was completely unsecured and unencrypted. 

‘JailCore could have easily avoided this leak if they had taken some basic security measures to protect the S3 Bucket, such as securing their servers and implementing proper access rules.’ 

Data leaked included inmates’ prescription records – such as medicine name, dosage, and whether the inmate accepted the medicine – full names, mugshots, booking numbers, inmate IDs, activity logs and more. 

Full names and signatures of correctional officers and drug administrators were also exposed. 

‘Each detainee that was checked into a detention center, from what we could see, has a number of PII about themselves and their mugshots logged into the system, vpnMentor explained in a blog post. ‘

‘A portion of this is shared in an online, publicly-accessible roster of current inmates when it comes to county jails, for example.’ 

‘What’s not meant to be available to all is individual specific medication information and additional sensitive data.’ 

‘Also included were the full names of correctional officers (and occasionally their signature), associated with personally-filled out observation reports and the like. 

Although JailCore was not pleased about hearing there was a leak it did state ‘data Security is of utmost importance here at JailCore.’ 

‘We ensure all of our data is encrypted end to end as well as when it is at rest.’

Source link

Leave a Reply

Borussia Dortmund 4-0 Eintracht Frankfurt: Jadon Sancho and Erling Braut Haaland score

Pepsi is giving away a diamond engagement ring made out of REAL Crystal Pepsi