Officials at the Idaho Department of Correction say that inmates from five different facilities across the state collected nearly a quarter million dollars in credits after hacking their tablets.
Up to 364 inmates exploited a vulnerability in JPay tablets – which were given to prisoners for email, music and games – to improperly increase their account balances, officials said. The total amount stolen by all the inmates totaled nearly $225,000.
JPay is operated by CenturyLink. The service offers tablets for inmates to perform various functions – including listening to music, reading and writing emails, and playing purchased games. As part of these functions, inmates can utilize JPay Media Accounts, which offers a credit system through which they can purchase various games or eBooks.
“On July 2, the Idaho Department of Correction informed us that inmates at five institutions intentionally exploited a vulnerability to increase their JPay account balances,” a CenturyLink spokesperson told Threatpost. “This improper conduct involved no taxpayer dollars.”
CenturyLink told Threatpost that “the vulnerability issue has been resolved” – but did not answer additional requests for comment regarding the incident – including questions about what specific vulnerability the inmates were able to leverage.
The spokesperson said that the department of corrections has charged the inmates with a Class B disciplinary offense and ordered them to make restitution to CenturyLink.
Up to five facilities were impacted, the spokesperson said – including the Idaho State Correctional Institution, Idaho State Correctional Center, South Idaho Correctional Institution, Idaho Correctional Institution-Orofino, and the Correctional Alternative Placement Plan.
“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Jeffrey Ray, public information officer with Idaho’s department of correction, told Threatpost in a prepared statement.
According to Ray, 50 of the inmates had transferred at least $1,000 worth of credits to their tablets – and the largest amount that was improperly transferred were credits totaling $9,990.35. No funds from any individual or institution were transferred into the inmates’ JPay accounts.
JPay has recovered $65,318.89 worth of improper credits, Ray told Threatpost. JPay has also suspended the ability of the inmates to download music and games until they compensate JPay for its losses. The inmates are still able to use JPay to send and receive email.