Business Insider, 16 May 2018: Securus is a prison technology company best known for providing
phone
services for inmates. One of its lesser-known services is a geolocation service that lets law
enforcement track almost any cell phone within seconds. Last week, the New York Times reported that
a Missouri sheriff is accused of using Securus technology to track people, including a judge,
without a warrant. The incident raised security and privacy concerns. According to Motherboard, a
hacker was able to breach the company’s server, and supplied the publication with internal
documents. The 10-year-old company came into the spotlight last week, when the New York Times
reported that Cory Hutcheson, a former Missouri sheriff, was accused of allegedly using Securus
services to track the whereabouts of people’s cellphones, including a judge and members of the
highway patrol, without warrants. Hutcheson pled not guilty. The Dallas-based company is one of the
leading providers of prison phone services, enabling inmates to communicate with the outside world.
However, it also offers an additional feature to its customers in law enforcement — the ability to
track the location of any cell phone across the country, in seconds. In theory, this location
service is meant for benevolent uses, like helping law enforcement solve crimes, or hospitals to
recover wayward patients with Alzheimer’s. Furthermore, when inmates make a phone call, it gives
prison staff a way to know where, exactly, the person they’re speaking with is located. The Times
reports that Securus’ tracking tech works even if GPS is switched off on the target’s phone: It
uses cell phone towers to triangulate the phone’s location, using tech originally invented for
marketing. ZDNet has a deeper dive on how this feat is accomplished, and how Securus seems to use
middleman companies to stay within the law. On Wednesday, less than a week after the Times
published its story, Motherboard reported that hackers had supplied it with a spreadsheet of
internal company files on customers who had bought Securus services since 2011, including personal
information on 2,800 Securus users. Motherboard described the contents of this breach as including
“poorly secured passwords for thousands of Securus’ law enforcement customers,” as well as
usernames, email addresses, phone numbers, and other personal information. And Motherboard reports
that it was able to verify that the information was accurate. The data breach also reportedly
includes that of Securus staff members. And according to Motherboard, the roles of the users listed
in the spreadsheet that the hacker supplied include “jail administrator” and “deputy warden,”
indicating that much or even most of the hacked data came from
prison staff.