Database of 70 million prisoner phone calls breached, leaked

A vast collection containing metadata of over 70 million records of phone calls placed by prisoners to at least 37 US states and links to actual recordings for each call has been leaked to reporters of The Intercept by an anonymous hacker.

The origin of the stockpile is Securus Technologies, a company that provides phone services inside prisons and jails via its Secure Call Platform.

The platform allows the monitoring and recording of calls, but should be set up not to records phone calls between prisoners and their attorneys, as that type of conversation is protected by the Sixth Amendment to the United States Constitution (the right to confidential attorney-client communications).

But even if such calls end up being recorded – and it can happen, as in most places the lawyers and their clients are required to provide the lawyers’ phone numbers so that they can be put on a do-not-record list, and occasionally they fail to do that – it is unnerving that these recordings are not wiped and are kept for years.

Especially because, as in this case, they can be accessed by hackers – i.e., are not stored securely enough, despite what the company claims and promises.

The cache contains calls made from December 2011 and the spring of 2014, and among the 70 million records of individual phone calls, the reporters found at least 14,000 recorded conversations between inmates and attorneys.

“The hacked database also includes records of calls between prisoners and prosecutors — including 75 calls to a United States attorney’s office in Missouri. These, too, are potentially problematic, particularly if they include conversations with cooperating witnesses who could be vulnerable if the details of their dealings with the government were exposed,” the reporters noted.

Since the release of the report, Secures Technologies issued a statement claiming that so far, theirs and law enforcement agencies’ investigation discovered no evidence that they suffered a breach or hack.

“Instead, at this preliminary stage, evidence suggests that an individual or individuals with authorized access to a limited set of records may have used that access to inappropriately share those records,” they stated.

“It is very important to note that we have found absolutely no evidence of attorney-client calls that were recorded without the knowledge and consent of those parties,” they pointed out. “Our calling systems include multiple safeguards to prevent this from occurring. Attorneys are able to register their numbers to exempt them from the recording that is standard for other inmate calls. Those attorneys who did not register their numbers would also hear a warning about recording prior to the beginning of each call, requiring active acceptance.”

That might as well turn out to be the truth, but a data leak by an insider is still something that they should have managed to prevent. Also, 70 million records of individual phone calls might be a “limited set” of the records they keep stored, but they still promised to store it safely, and they didn’t.