Most of the users in the spreadsheet are from US government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others. The data also includes Securus staff members, as well as users with personal email addresses that aren’t explicitly linked to a particular government department.Motherboard verified the data by using Securus’ website’s forgotten password feature. When typing in a gibberish email address, the site returned an error. But when presented with a username and email address from the hacked data, the site progressed to the next stage of the password reset process, confirming that those credentials are stored within Securus’ systems. Every set of credentials Motherboard tested was successful. Securus also confirmed a set of data had been "unlawfully accessed.""While our forensic investigation continues, evidence at this point indicates that impacted data is a very limited scope of administrative user account information," Securus' statement to Motherboard reads. "We intend to provide law enforcement authorities with the details from our investigation and ask for aggressive prosecution when warranted," it added.It is not totally clear how many of these users have access to Securus’ phone location service. But other parts of the data indicate that many of the users are likely to be working in prisons: some of the users’ roles are marked as “jail administrator,” “jail captain,” and “deputy warden.” On its website, Securus markets its “Location Based Services” product to prisons so staff can know where inmates are calling.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
The hacker explained to Motherboard how they allegedly obtained the data, and from that account, it appears the hack was relatively simple. And a hack of Securus was also the basis for a previous 2015 investigation from The Intercept, which included 70 million prisoner phone calls.But this latest data breach is not the only sign that Securus is careless with sensitive information. Rid pointed Motherboard to a Securus user manual available online. One part shows a map and user interface for a Securus product, but instead of populating the screen with fake data for demonstration purposes, the guide appears to include the real name, address, and phone number of a specific woman. (Motherboard confirmed the details with those in online databases, as well as a media report that mentions the woman).“The PII [personally identifying information] exposure in the (still) public user guide raises one question: does Securus have the culture and the procedures in place to protect sensitive PII? The answer appears to be no,” Rid told Motherboard.Senator Ron Wyden, who sent letters to major telcos and the FCC pushing for more answers around Securus before the New York Times’ piece, told Motherboard in a statement that “If this account is true, it demonstrates, yet again, that Securus is failing cybersecurity 101, in total disregard for the privacy of the Americans whose communications and private data it should be protecting. This incident is further evidence that the wireless carriers and FCC need to step up and do much more to ensure that Americans’ location information and other personal information isn’t sold to companies like Securus that have demonstrated that they simply don’t care about cybersecurity.”Jason Koebler contributed reporting.Update: This piece has been updated to include extra context around another Securus data breach reported by The Intercept, and more information from a Securus statement.
Read more: Motherboard’s Security Tuneup