A contractor for the Cook County Sheriff's Office, a law enforcement agency that covers the city of Chicago, left exposed online the private data—including the ankle bracelet movements—of people who are under house arrest and being monitored through GPS devices.
Matt Chapman, an investigative journalist who found the leak, described it as "an enormous amount of private information," which included names, email and home addresses, "detailed movement schedules," and more of people under electronic monitoring in Chicago. Chapman alerted the Sheriff's office on May 18, which replied the next day saying the site that was leaking the data had been taken down, according to emails shared with Motherboard.
The Sheriff's office confirmed the leak in an email to Motherboard.
"An initial investigation by the Sheriff’s Office confirmed that certain confidential information was accessible via an internet search. The Sheriff’s Office immediately demanded that [contractor] Protocol terminate all public access to such information and prevent any further access by unauthorized persons," Matt Walberg, the press secretary of the Cook County Sheriff’s press office wrote in a statement.
Activists who have spoken against the use of electronic monitoring in Chicago highlighted how this leak was an indictment of the whole program.
"It’s hard to say how much trouble something like that could cause to people," James Kilgore, the director of the Challenging E-Carceration Project at MediaJustice, said in a phone call. "This technology is fundamentally flawed. And the companies that are driving it are socially irresponsible, and completely uncaring."
Kilgore said he wasn't surprised that BI Incorporated lost control of this data, given that electronic monitoring "has been largely an unregulated technology," and that companies that run it are unaccountable and "get a free pass."
According to the Sheriff's office, Protocol is the company that was maintaining the exposed database. Protocol is part of BI Incorporated, a company that describes itself as "the largest and most complete provider of location and compliance monitoring technologies and related services, offering government agencies a complete solutions continuum for managing low- to high-risk offenders." BI Incorporated is a subsidiary of Geo Group, a company that runs private prisons and had $2.3 billion in revenues in 2020, according to MarketWatch.
BI Incorporated declined to answer a series of specific questions, and instead sent this statement via email: "BI Incorporated works closely with all customers to protect the information and data entrusted to our care. The number of deliberate and malicious cyberattacks on government agencies and companies are increasing, and BI is committed to protecting our customers’ data and the personal information of those we monitor."
Do you have information about similar data breaches or leaks? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr and Telegram, or email firstname.lastname@example.org.
Last year, a local NBC affiliate in Chicago reported that there were around 3,000 people under electronic monitoring, "outfitted with electronic ankle bracelets, designed to alert a monitoring center if they have ventured away from their homes or other designated areas."
Walberg, the Sheriff's office press secretary, also said in his May 28 email that his office is now "working with Protocol to address this situation." That means it is asking "a detailed account of any actual or suspected exposure of confidential information," a response and remediation plan, a plan to notify affected individuals, and to engage "a third-party auditor to review Protocol’s security processes and procedures."
When Motherboard asked the Sheriff's office for an update on how those requests are going, another spokesperson declined to comment and deferred to BI Incorporated.
Subscribe to our cybersecurity podcast, CYBER.