Securus phone-tracking company has been hacked

EXECUTIVE SUMMARY:

A hacker has provided stolen data, including usernames and poorly secured passwords for thousands of Securus’ law enforcement customers, to Motherboard.

Securus, a company known for providing telecommunications services to connect prisoners with families (and monitor their conversations) and law enforcement officials with phone-tracking data, is stirring controversy. As The New York Times reported about a week ago, the company can track almost any cellphone in the country within seconds. Reportedly, a sheriff used the service at least 11 times between 2014 and 2017, targeting a judge and members of state highway patrol. It was enough to prompt one US senator to call for an investigation.

Now the target of a data breach, Securus is even more in the hot seat. According to Motherboard, the latest development reinforces concerns about a company with lax security offering significant surveillance abilities to law enforcement.

“A spreadsheet allegedly from a database marked ‘police’ includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year,” reports Motherboard. At issue: The hashes were created with the MD5 algorithm, known for its vulnerabilities. This makes it far easier for cyberattackers to learn a user’s real password. On top of that, according to Motherboard, some of that password-cracking legwork appears to already have been done. “Indeed, some of the passwords have seemingly been cracked and included in the spreadsheet. It is not immediately clear if the hacker that provided the data to Motherboard cracked these alleged passwords or if Securus stored them this way itself.”