Inmates hacked prison tablets to transfer money to their own accounts

Share this…

They stole nearly $225K

Up to 364 prisoners participated in an operation to hack JPay tablets from different prisons and, in a collective work, transferred nearly a quarter million dollars to their own accounts, as reported by experts in enterprise data protection services.

The spokesperson from the Idaho Department of Corrections, Jeff Ray, says the department’s Special Investigations Unit discovered the problem earlier this month, and that the crime did not involve taxpayer funds.

According to reports from experts in enterprise data protection services, JPay is a service provided for different correction institutions that provides support technology in activities such as money transfer, email and video call visits. The service can transfer money through an electronic payment system that includes credit and debit payments on an inmate’s account.

These tablets are popular in prisons along the country and are available to Idaho inmates through a contract with CenturyLink and JPay. None of the companies have made further statements about the incident.

The spokesman said in his statement that the prisoners were “intentionally exploiting some vulnerability within the JPay system to unduly increase their JPay account balances”. He added that 50 inmates credited amounts exceeding $1K in their accounts; the largest amount found in a single-prisoner account was a little less than $10K.

The total amount of the robbery was almost $225K.

Individuals involved in the robbery are held at the Idaho State Correctional Facility, Idaho State Correctional Center, Idaho Correctional Facility, southern Idaho Correctional Facility, and in the facilities of the Alternative Correctional Placement, operated by the private prison company MTC Inc.

For specialists in enterprise data protection services from the International Institute of Cyber Security, this is a very serious security flaw, as the inmates were able to build a network capable of compromising software contracted by correctional institutions that may be not secure enough to work with.