A couple of days ago the Dallas, Texas-based prison technology company Securus made headlines for assisting the Police in the United States to perform real-time cell phone tracking of mobile users in the country.
Now, reportedly, Securus has suffered a data breach in which an unknown hacker has stolen its data. The hacker managed to steal login credentials of 2,800 customers including usernames, emails, poorly hashed passwords, phone number, and security questions.
Although we at HackRead cannot confirm the breach on our behalf, Joseph Cox of Motherboard, on the other hand, was in contact with the hacker who shared a sample data with the website. The data was then tested and confirmed legit by Cox – This means Securus has been pwned.
Moreover, a quick analysis of the stolen data has revealed that it contains information from 2011 forward while the impacted customers include city police and sheriff departments from Indianapolis, Phoenix, and Minneapolis.
For those who are unaware of how Securus works, it is a prison telecom firm that helps law enforcement monitor the majority of cell phones in the US. By using the web interface that leverages its location API, Securus is able to successfully access cell-site databases in real-time. These records are then used to obtain cell phone data to enable tracking.
George Avetisov, CEO of HYPR, commented on the issue and said that, “There is an expectation they are sharing data but not with explicit disclosure that there is risk or that the data are used by third parties and this is exactly why sensitive data belongs in the hands of those to whom it belongs: its owners. This is yet another example of how centralization of data inevitably results in unauthorized access due to hacking or accidental loss.”
Travis Jarae, CEO of OWI, said that “the Securus hack once again shows that people are focused solely on results and not on the vulnerabilities of the technologies used to produce them. In front of the Supreme Court right now is the case of Carpenter v. U.S., which is exploring the constitutionality of police officers working with third-parties to obtain mobile location data without a warrant. It will be interesting to see the impact this latest news about Securus plays in the outcome, expected later this summer.”
This is not the first time when a firm making recent headline has been hacked a few days after. Previously, the Israeli smartphone cracking firm Cellebrite was hackeddays after news about its capabilities went public. In the attack, hackers leaked 800 GB of the firm’s data which confirmed its in-house hacking capabilities.
In March this year, a US-based firm Grayshift announced it created a tool called GrayKey which can crack any iPhone including iPhone 8 and iPhone X. One of its customers even bought the GrayKey device for $15,000, however on April 26th, 2018 GrayShift reportedly suffered a data breach after its code was stolen and extorted by unknown malicious hackers.