An unsecured cloud storage server containing 36,077 files of sensitive inmate data has been recently discovered online, cybersecurity research team vpnMentor disclosed on Monday, Feb 10.
According to the report, the software, which was identified to be a misconfigured Amazon S3 bucket, belongs to a program called JailCore, a cloud management platform used by US correctional facilities. Overall, the researchers said that over 36,000 PDFs generated by the software, which include sensitive personal data of unidentified numbers of inmates, were already publicly accessible due to the leaky bucket.
“For a technology company, our research team found it odd that there was no available privacy policy nor terms of service for JailCore, and their site is being served unencrypted without a SSL certificate,” the report wrote.
Among the details exposed include names, mugshots, IDs, booking numbers, activity logs, and a host of personal health information of inmates across Florida, Kentucky, Missouri, Tennessee, and West Virginia center.
“Each detainee that was checked into a detention center, from what we could see, has a number of PII about themselves and their mugshots logged into the system. A portion of this is shared in an online, publicly-accessible roster of current inmates when it comes to county jails, for example,” the team specified.
In an effort to limit the impact of the breach, vpnMentor said it had reached out directly to JailCore, but, to their dismay, the software company refused to accept the disclosure of their findings.
"We then reached out to The Pentagon to bring this leak to their attention, and the S3 Bucket leak was subsequently closed,” the team explained.
A representative from JailCore, however, acknowledged the reports but claimed that they believe none of the information exposed is compromising in any way as most of the reports were fake records of inmates used to test the functionality of the software.
The leaky S3 bucket was discovered by vpnMentor on Jan 3 while conducting a web mapping project, which involves scanning a range of Amazon S3 addresses.
“This leak represents a potentially severe threat to those whose data has been exposed. It has many implications, all of which could very well ruin the lives of those involved,” the research team warned.
“For many of the app’s customers, there is a current inmate roster on their Detention Center’s website. However, this roster does not include their medicine, their behavior, and their punishments – all of which were potentially made available in this data leak.”
