Report: JailCore Left Prisoners’ Data Unprotected Online
by Matt Clarke
On February 10, 2020, cybersecurity research team vpnMentor reported the discovery of an unsecured cloud storage server containing data from JailCore, an online management and compliance application used by jails to streamline functions like logging prisoner checks. While some of the information generated is public, other information is potentially sensitive or protected by federal medical information privacy laws.
The vpnMentor team, led by Noam Totem and Ran Locar, discovered the data security breach on January 3, 2020, while conducting a large web-mapping project. What it came upon was a data “bucket” on an Amazon-hosted S3 server that was “completely unsecured and unencrypted,” containing just over 36,000 files generated by JailCore software. Anyone browsing the web who happened upon the right URL could access all of the bucket’s contents.
This included nonpublic logs noting dates and times prisoners used the bathroom, received a meal tray or were given prescription medications, along with the name and dosage of each drug, as well as the name – and sometimes the signature – of the jail staffer administering it. Much of the information is covered by federal medical information privacy protection laws. The files also contained public information on prisoners, such as names, birthdates, and mugshots.
Founded in 2017 and based in Brentwood, Tennessee, JailCore is a subsidiary of CRS Technologies, LLC, which also owns Correctional Risk Services, a provider of medical insurance to jails that covers healthcare services for prisoners and detainees requiring offsite treatment. It was founded in 2004 by Steve Kreal, who still maintains the employee-health benefits company he founded in 1983, Stephen M. Kreal and Associates.
The research group first informed JailCore directly about the data breach on January 5, 2020. After JailCore refused to accept disclosure of the findings, vpnMentor informed the Pentagon on January 15, 2020. By the next day, the leaky S3 bucket had been secured.
JailCore issued a belligerent response, claiming that most of the entries in the database were dummy entries used to test it and that only a few logs tracked real prisoners’ medication. It also claimed that prisoners have no privacy rights and—absurdly—are in fact property of the county in which they are jailed.
“These are incarcerated individuals, not free citizens,” read a statement from JailCore founder and CEO D. J. Kreal, who is the son of Steve Kreal. “Meaning the same privacy laws that you and I enjoy, they do not. I would implore you to get all facts straight before writing/publishing anything. You cannot look at this like an example of a private citizen getting certain private information hacked from the cloud. These are incarcerated individuals who are PROPERTY OF THE COUNTY (this is even printed on their uniforms) ... they don’t enjoy our same liberties.”
Of course, jail inmates are not county property, only their uniforms are. Prisoners’ medical records are also protected by the same federal privacy laws that protect free citizens. Further, many are pretrial detainees who have not been convicted of anything and enjoy most of the same rights as those outside of jail.
In April 2020, the younger Kreal announced a new app to help jails assess and track individuals infected with the coronavirus that causes the COVID-19 disease. Kreal said the product “is designed to be extremely intuitive so very few mistakes are made.”
Sources: vice.com, vpnmentor.com, correctionalnews.com, bizjournals.com