Inmates’ and correctional facilities employees’ data has been sloshed onto the web, unencrypted and unsecured, in yet another instance of a misconfigured cloud storage bucket.
Security researchers at vpnMentor came across the leak on 3 January during a web-mapping project that was scanning a range of Amazon S3 addresses to look for open holes in systems.
The leaky bucket belongs to JailCore, a cloud-based app meant to manage correctional facilities, including by helping to ensure better compliance with insurance standards by doing things like tracking inmates’ medications and activities. That means that the app handles personally identifiable information (PII) that includes detainees’ names, mugshots, medication names, and behaviors: going to the lavatory, sleeping, pacing, or cursing, for example.
JailCore also tracks correctional officers’ names, sometimes their signatures, and their personally filled out observational reports on the detainees.
Some of the PII is meant to be freely available to the public: details such as detainee names, dates of birth and mugshots are already publicly available from most state or county websites within rosters of current inmates. But another portion of the data is not: that portion includes specific medication information and additional sensitive data, vpnMentor says, such as the PII of correctional officers.
JailCore closed down the data leak between 15 and 16 January: 10 or 11 days after vpnMentor notified it about the breach (and about the same time that the security firm reached out to the Pentagon about it). The company initially refused to accept vpnMentor’s disclosure findings, the firm said.
Risk of identity theft
The leaky bucket held 36,077 PDFs of data from an Amazon server belonging to JailCore. The security researchers didn’t open each file, but the records that they did open pertained to correctional facilities in Florida, Kentucky, Missouri, Tennessee and West Virginia.
JailCore says that it’s a startup that’s currently working with six jails, totaling 1,200 inmates. It thinks that a tiny portion of real people’s information was involved in the breach. From one of its comments cited by vpnMentor:
Of those 6 jails, only 1 is using the application to track medication compliance in a 35 inmate jail and only 5 of those 35 inmates in that jail has a prescribed medication. Meaning all other reports with any mention of medication were all used for demonstration purposes only.
JailCore asked vpnMentor to bear in mind that detainees aren’t free citizens, and that’s a whole ‘nuther can of worms when it comes to privacy rights:
These are incarcerated individuals, not free citizens. Meaning, the same privacy laws that you and I enjoy, they do not.
[…] You cannot look at this like an example of a private citizen getting certain private information hacked from the cloud. These are incarcerated individuals who are PROPERTY OF THE COUNTY (this is even printed on their uniforms) … they don’t enjoy our same liberties.
Does that mean that it’s OK to expose prison inmates to the risk of identity theft? vpnMentor’s take on that risk:
Knowing the full name, birthdate, and, yes, even the incarceration record of an individual can provide criminals with enough information to steal that person’s identity. Considering that the person whose identity is stolen is in jail, cut off from normal access to a cellphone or their email, the damage could be even greater, as it will take longer to discover.
When Vice’s Motherboard contacted JailCore, a representative acknowledged that the records were in fact generated by its app and confirmed that JailCore had sealed up the hole. The JailCore rep also told the publication that the company doesn’t think that any of the compromised PII is personally sensitive or compromising in any way.
A tub full of leaky buckets
And thus does JailCore join the Who’s Who list of organizations that have misconfigured their Amazon S3 buckets and thereby inadvertently regurgitated their private data across the world: Dow Jones; a bipartisan duo including the Democratic National Committee (DNC) and the Republican National Committee (RNC); and Time Warner Cable – to name just a few.
In fact, back in 2017, security vendor Threat Stack conducted a survey of 200 AWS users in early 2017 and found that 73% left SSH open to the public, and 62% weren’t using two-factor authentication (2FA) to secure access to their data.
Amazon took a proactive step by scanning its customers’ S3 buckets and sending warnings when it found spillage, reaching out to customers with bad security before crooks had a chance to.
It doesn’t have to be this way. There’s help out there for organizations that can take a deep breath, step away from their servers, and plunge in to learn how to better secure them: Amazon has an FAQ about how to access AWS Simple Storage Service (S3) controls and encryption.