Prisoners exploit tablet vulnerability to steal nearly $225K

Idaho prison officials said on Thursday that 364 inmates in five of the state’s prisons exploited vulnerable software in the JPay tablets they use for email, music and games in order to pump up the cash balances of their accounts.

The inmates transferred nearly $225K into their JPay accounts, according to the Associated Press.

The handheld tablets are used in prisons across the country, where inmates use them to stay in touch with the outside world via money transfers, emailing families and friends, buying and listening to music, video visitation, parole and probation payments, and downloading and playing games. The devices are made available through a contract between JPay and CenturyLink. Inmates can pay for entertainment, games and additional services with JPay credits.

Idaho Department of Correction spokesman Jeff Ray said on Thursday that no taxpayer money was involved in the fraud. The tablets operate over a secure network and don’t offer access to the wider internet.

The transfer scam was discovered earlier in the month by a special investigations unit, Ray said.

Mark Molzen, a spokesman for CenturyLink, told the AP that the problem involved inmates “intentionally exploiting a software vulnerability to increase their JPay account balances.” The company declined to give details, considering any such to be proprietary information. Molzen did say that the vulnerability has since been fixed, however.

According to Ray, the largest amount swindled by a single inmate was a little under $10,000. Fifty of the inmates transferred amounts exceeding $1,000 into their accounts.

This was no accident, Ray said:

It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.

Ray said that JPay has managed to claw back more than $65,000 worth of credits. The guilty inmates have been shut out of much of the tablets’ functions: they won’t be able to download games or play music until they pay back what they owe to the company, he said. They’ll still be allowed to read and send emails, though.

The Idaho Department of Correction has issued disciplinary reports to the involved inmates. That could lead to loss of privileges and a possibly reclassification to a higher security risk level.