JPay Vulnerability Exploited by Idaho Prisoners for $225,000 in Credits
by Steve Horn
In the realm of prisons and jails, many companies have positioned themselves to profit from mass incarceration.
Few have done so in the area of prisoner communications with as much vigor as JPay, whose business model centers around charging prisoners fees to communicate with the outside world via phone calls, video calling and e-messaging. The company also has a substantial share of the prison money transfer market.
But JPay, which has myriad contracts with jails and state prison systems, has come under scrutiny over a vulnerability in its media content ordering system that occurred in June and July 2018 at several facilities run by the Idaho Department of Correction.
Prison Legal News obtained documents via a public records request concerning the incident, which indicate that a prisoner tipped off state officials. Though his name was redacted, one document shows the prisoner contacted prison staff through a confidential informant line, explaining how the JPay vulnerability was being exploited by other prisoners.
The informant had originally reached out to JPay on June 28 via the company’s internal support system, letting them know prisoners were using a “glitch” to obtain hundreds of dollars worth of credits to purchase music, games and email “stamps.”
Many of the mainstream media outlets that reported on the incident – most of which relied heavily on a statement released by Idaho prison officials – used the words “hack” or “hacking” to describe what happened. But that wasn’t accurate, as it was apparently a flaw in JPay’s ordering system that prisoners managed to exploit.
Several Idaho prisoners contacted PLN, saying that due to a glitch that added credits to their JPay accounts, prison officials had frozen the accounts, demanded payment for credits that had already been spent and were issuing disciplinary charges. The claim of a “glitch” wasn’t accurate either, since prisoners evidently had to take certain actions to exploit the JPay vulnerability and have credits added to their accounts.
In a story first broken by the Associated Press, it was reported that 364 prisoners transferred around $225,000 in credits to their JPay accounts, with one adding almost $10,000 and over 50 adding more than $1,000. The exploit was fixed by July 12, 2018, and several days later JPay had recovered over $65,000 worth of the purloined credits.
Mark Molzen, a spokesman for CenturyLink – which facilitates JPay’s prisoner communication services for the Idaho Department of Correction – told the Associated Press that the 364 prisoners had “intentionally [exploited] a software vulnerability to increase their JPay account balances.” He responded to multiple inquiries by Prison Legal News for additional details about the incident by saying CenturyLink could not comment further.
The exploit reportedly involved JPay tablet devices, which are used for e-messaging, music and games. The credits that were added to prisoners’ accounts due to the vulnerability exploit were used to purchase JPay services, not actual money; they could not be transferred to prisoners’ DOC trust accounts or otherwise converted into cash. Nor, according to Idaho prison officials, could prisoners transfer the credits to other prisoners. Most of the prisoners involved in the incident were housed at the Idaho State Correctional Institution, Idaho State Correctional Center, Idaho Correctional Institution-Orofino and South Idaho Correctional Institution.
“JPay is proud to provide services that allow incarcerated individuals to communicate with friends and family, access educational programming, and enjoy positive entertainment options that help prevent behavioral issues,” JPay spokesperson Jade Trombetta told the Associated Press in a statement. “While the vast majority of individuals use our secure technology appropriately, we are continually working to improve our products to prevent any attempts at misuse.”
Critics of JPay and for-profit prison communications have pointed to the high cost of the company’s services as the root of the problem. Sending an email using JPay costs $0.47 per page, while downloading a single song can cost as much as $3.50 according to Idaho Department of Correction data posted on JPay’s website. For some perspective, Idaho prisoners receive wages ranging from $0.10 to $0.90 per hour, as indicated on an Inmate Incentive Pay document published by the Idaho Department of Correction.
"These are the poorest folks in the state ... and they are being asked to pay unreasonable sums of money to stay in touch with their loved ones,” said Peter Wagner, executive director of the Prison Policy Initiative.
In response to the JPay incident, prison officials have taken disciplinary action against prisoners who added credits to their accounts using the exploit, “which means they could lose privileges or be moved to stricter security classification levels,” according to Idaho DOC spokesman Jeffrey Ray. The disciplinary convictions may affect prisoners’ parole eligibility. Further, records obtained by PLN show that JPay implemented its own form of punishment, too. This was explained in a July 20, 2018 email from Juliet McKay, the Grants/Contracts Officer for the Idaho Department of Correction.
“JPay has determined that the best course of action ... is to debit the inmate’s media account for the amount stolen,” she wrote. “This will take the inmate’s JPay account into the negative. The inmate will be unable to purchase additional media (music, games, etc.) until such time as the negative balance is paid. Once the negative balance is satisfied, the media purchase button will be turned on for the inmate to utilize.”
However, prisoners involved in the JPay exploit will still be allowed to use the company’s email service – which ensures that JPay will continue to receive per-message fees. They also were allowed to keep any media content purchased using credits obtained through the exploit. McKay noted that “JPay will eventually be paid for [that] content,” since prisoners will have to pay off their negative account balances before they can obtain any other music or games.
JPay is a subsidiary of Securus Technologies, which has phone contracts with a number of state prison systems and local jails. Securus has experienced its own security breaches, including an incident reported in May 2018 in which a hacker obtained data for thousands of the company’s law enforcement customers, and a 2015 incident where a hacker obtained millions of prisoners’ phone records, including calls made to attorneys. [See: PLN, Aug. 2016, p.1].
Sources: www.apnews.com, www.jpay.com, www.idoc.idaho.gov, www.prisonpolicy.org, documented obtained via public records request