Inmates in Idaho successfully hacked the software of the prison-issued tablets to issue themselves nearly a quarter of a million dollars in credits on the devices that are often one of their only connections to the outside world. The tablets, made by prominent prison vendor JPay, give inmates the ability to use email, listen to music and transfer money, among other basic computing functions, but charge fees for some services.
The Associated Press reports that Idaho prison officials discovered 364 inmates leveraging a software vulnerability to increase their JPay account balances. In Idaho, the devices are the result of a partnership between JPay and CenturyLink. The latter company confirmed the software vulnerability but declined to offer further details beyond stating that it had since been resolved.
Of the 364 inmates exploiting JPay, 50 inmates were able to issue themselves credits for more than $1,000. One inmate was able to use the software flaw to self-issue a credit of almost $10,000. The company has recovered about a quarter of the total of around $225,000 so far and has suspended some functions for inmates until they reimburse the stolen credits.
“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Idaho Department of Correction spokesperson Jeff Ray said in a statement on the JPay incident.
The individuals exploiting the JPay system are incarcerated at a handful of Idaho prisons, including Idaho State Correctional Institution, Idaho State Correctional Center, South Idaho Correctional Institution, Idaho Correctional Institution-Orofino and a private Correctional Alternative Placement Plan building.
On its website, JPay describes itself as a “highly trusted name in corrections because we offer a fast and secure method of sending money,” which seems up for debate given the recent turn of events. The company has a presence in prisons across 35 states.