A hacker has reportedly provided journalists with access to credentials and other data from Securus' servers, a company that recently revealed that it would sell mobile location information to US law enforcement agencies without authority. The hacker is said to have provided several internal files to Motherboard, including a database of over 2,800 Securus usernames – mostly government agencies, sheriff departments and local law enforcement agencies. The customer information comes from the year 2011, reports the motherboard. Information about Securus employees, including their personal e-mail addresses, has also been stolen.
The New York Times reported last week that Securus had managed to get data about the location via telecommunications companies about their proximity to cell towers. This capability is generally reserved for marketing purposes or for companies providing breakdown assistance. The gap has also allowed Securus to provide the police with the same information without a warrant.
The motherboard said that it had verified the data provided by the hacker by using a forgotten password on the Securus website. If an address is entered by a person who is not a Securus customer, the page will return an error. However, the addresses provided by the hacker have checked out, apparently confirming that the stolen data is genuine.
It is not clear how many of these users have access to Securus' phone locator. But other parts of the data indicate that many of the users are likely to work in prisons: some of the user roles are labeled as "prison warden", "prison governor" and "deputy warden". On its website, Securus markets its Location Based Services product to prisons so staff can know where inmates are calling.
The site lists Minneapolis, Phoenix, Indianapolis as cities affected by the violation.
Securus, a Dallas-based company, has sold its services to prison facilities, among others; She claims that this provides prison officials with an opportunity to monitor escape attempts and smuggling operations. A senior MP at the sheriff's office in Pinal County, Arizona, told The Times that Securus's service had been successfully used in one case to track down a suspect who had allegedly sent a letter to an inmate with methamphetamine.
Sen. Ron Wyden, a leading privacy advocate, has asked the Federal Communications Commission to investigate mobile operators using Securus. In a letter addressed to Gizmodo, Wyden called the practice of providing location data without an arrest warrant "abusive and possibly unlawful."
Securus could not be reached immediately for comment.