According to a report released Monday morning, a team of cybersecurity researchers recently discovered an unsecured cloud storage server hosted by Amazon that contains data from a software program called JailCore. This software, according to the company’s website, is used by several state and county jails to streamline the process of conducting and logging inmate check-ins by correctional officers, and the reports it generates contain a variety of potentially sensitive information.
Researchers at vpnMentor first discovered this data on January 3 as part of a web mapping project that was scanning a range of Amazon S3 addresses. The storage bucket containing JailCore’s data was seemingly completely unsecured, and could be accessed by anyone who stumbled across its URL. After the research team contacted the company responsible for the software on January 5, the issue was finally resolved on January 15 and the S3 bucket now appears to be properly secured.
The contents of the affected bucket amount to just over 36,000 PDFs generated by the JailCore software, and much of the personal information included in these generated reports is already publicly accessible information. Details such as inmate names, dates of birth and mugshots are in most states already available from the state or county website directly, so their inclusion in this leaked data is not particularly notable. Other details in the breach included logs that noted the exact time and date at which a particular inmate went to the bathroom or received a meal tray. The breach also included what appears to be records of what medication inmates were being given. Specific prescription drug names, dates and times of administration, and whether the inmate accepted the medication are all included in some of the leaked reports.
When contacted for a statement, a JailCore representative acknowledged that the reports were generated by its software and confirmed that JailCore had resolved the security problem, but also said that they believe none of the personal information contained in the reports is compromising in any way. They pointed out that the vast majority of the reports were for fake inmates used to test the app’s functionality, and that they believe the small percentage of the leaked files that did contain information on real inmates did not contain anything personally sensitive or compromising.
A correctional officer at one of the jails whose inmates’ data was included in the leak was also able to confirm that the facility does indeed use JailCore’s software, which corroborates the researchers’ claims that some of the leaked data belongs to real inmates rather than placeholder entries.
This breach comes as the latest in a long line of problems caused by Amazon AWS and S3 servers left open to the public by their owners, resulting in the accidental release of everything from audio recordings of a financial institution’s phone calls to the personal information of an ad agency’s talent roster.